简单但安全的密码哈希

I'm looking for a simple (or as simple as possible) yet secure method for hashing and salting a users password when submitting it to the database and then retrieving from the database. Having spent the past 3 hours researching, there are literally hundreds of different methods that each person will say is the best method.

I'm looking for a relatively simple method that will also keep users accounts secure. Obviously the term secure can be interpreted differently, but i just want it, at the very least, be very difficult for a would-be hacker (or whatever you'd call these saddo's) to gain access to a users account.

I appreciate that i should have at least tried a few things, but they all seem so convoluted and overly secure for my purpose.

I tried using password_hash() but it appears i'm running an earlier PHP version than 5.5. I understand there are issues with the code below, but it's simply a starting point for a person project i'm working on in order to better learn PHP.

Current registration form

$username = $_POST['username'];
$password = $_POST['password'];

try {   

    $result = $db->prepare("INSERT INTO 
                            user_info 
                            SET 
                            username = :user,
                            pass = :pass
                            ");
    $result->bindParam(':user', $username);
    $result->bindParam(':pass', $password);
    $result->execute();
}

catch (Exception $e) {
    echo "Could not create username";
}

if (isset($_POST['submit'])) { 
    foreach ($_POST as $field) {
        if (empty($field)) {
            $fail = true;
        }
        else {
            $continue = false;
        }
    }
    if ($field == $fail) {
        echo "You must enter a username and/or password";
    }
    else {
        echo "Your account has been successfully created.";
    }
     }

The login logic

$username = $_POST['username'];          
$password = $_POST['password'];

try {   

    $result = $db->prepare("SELECT username, pass FROM user_info WHERE username = :user AND BINARY pass = :pass");
    $result->bindParam(':user', $username);
    $result->bindParam(':pass', $password);
    $result->execute();
    $rows = $result->fetch(PDO::FETCH_NUM);
}

catch (Exception $e) {
    echo "Could not retrieve data from database";
    exit();
}

if ($password = $rows) {
    session_start();
    $_SESSION['username'] = $_POST['username'];
    $_SESSION['loggedin'] = true;
    include("inc/redirect.php");

} else {
    if (isset($_POST['login'])) {
        echo "Username or password incorrect (passwords are case sensitive)";
    }
}

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

4条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
duandu8707 2014-06-26 07:11
关注
With password_hash() you are on the right track. For PHP versions 5.3.7 - 5.5 you can use the compatibility pack, later when you switch to a newer PHP version, you can simply remove this php file from your project and the code will still run.

// Hash a new password for storing in the database. // The function automatically generates a cryptographically safe salt. $hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT); // Check if the hash of the entered login password, matches the stored hash. // The salt and the cost factor will be extracted from $existingHashFromDb. $isPasswordCorrect = password_verify($password, $existingHashFromDb);

Even for lower PHP versions than 5.3.7 you can use the compatibility pack‌. You only have to edit line 55 and change the algorithm from sprintf("$2y$%02d$", $cost); to sprintf("$2a$%02d$", $cost);. This is of course not optimal, but it is the best you can do for PHP between 5.3 and 5.3.7.

The problem with other algorithms like SHA* or MD5 is, that they are ways too fast. It is possible to calculate about 3 Giga SHA-1 per second with common hardware, that makes brute-forcing too easy. To test a whole english dictionary you would need only a fraction of a millisecond. That's why one should use a hash algorithm with a cost factor like BCrypt or PBKDF2, they allow to control the necessary time to calculate a single hash.
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(3条)

报告相同问题？

关注问题

简单但安全的密码哈希 php
2014-06-25 22:24

回答 4 已采纳 With password_hash() you are on the right track. For PHP versions 5.3.7 - 5.5 you can use the comp
Php - 密码哈希 php
2015-10-25 23:58

回答 1 已采纳 It's hard to understand what you're asking, but I bet you want to hash the value of $password befo
密码哈希PHP 7 [关闭] php
2017-02-08 18:11

回答 1 已采纳 You should never encrypt passwords, you should only hash them. Encryption implies that you can dec
PHP 编写的简单网络安全示例.zip
2024-04-07 23:21

在登录时，系统会从数据库中检索用户的密码哈希值，并使用 password_verify 函数来验证用户输入的密码是否正确。这个示例演示了如何使用 PHP 和 MySQL 来实现基本的用户注册和登录系统，并利用哈希加密来提高密码的...
批量密码哈希PHP-LOGIN PROJECT代码 mysql php
2015-06-03 09:47

回答 2 已采纳 <?php // you should put your db connection stuff here require('connect.php'); //you create a
使用php生成密码哈希 php
2015-03-10 19:13

回答 1 已采纳 There's a lot of hate in the OP's comments. But it's misdirected - OP is not trying to decode anyt
如何检索登录php的哈希密码 database php sql
2016-06-25 12:04

回答 3 已采纳 Okay so basically to explain how password_verify works: The first parameter is a non-hashed passw
PHP 5.5 创建和验证哈希最简单的方法详解
2021-01-20 01:08

这将用作创建一个新的密码的哈希值。它包含三个参数：密码、哈希算法、选项。前两项为必须的。你可以根据下面的例子来使用这个函数：复制代码代码如下:$password = ‘foo’;$hash = password_hash($password,...
蛋糕php-密码哈希 php
2014-01-02 10:13

回答 1 已采纳 Use this to hash the password: $this->data['User']['password'] = AuthComponent::password(
PHP登录没有错误，但哈希时密码不相等 database php sql
2017-11-21 11:45

回答 1 已采纳 Your database password column is not long enough, and it's truncating the values. From the manual:
如何使用PHP创建wordpress密码哈希生成器？ [关闭] php
2018-07-12 07:21

回答 1 已采纳 Wordpress provides a default function wp_hash_password(); Example: $password = 'admin'; $hash_pa
PHP函数 “password_hash“ 哈希密码
2024-02-23 15:35

luoluosheng07的博客值得注意的是，使用 password_hash 函数进行密码哈希处理时，PHP会自动为每个密码生成一个独一无二的盐值，这个盐值会与密码一起存储在哈希密码中，从而增加密码的安全性。在使用 "password_hash" 函数进行密码哈希...
使用bcrypt哈希密码迁移系统 laravel node.js php
2016-08-05 04:20

回答 2 已采纳 Are you asking if the hashed password data (stored on the server, for example) can be used in anot
PHP中创建和验证哈希的简单方法实探
2021-01-20 00:31

PHP 5.5.0 带来了一份...这将用作创建一个新的密码的哈希值。它包含三个参数：密码、哈希算法、选项。前两项为必须的。你可以根据下面的例子来使用这个函数： $password = 'foo'; $hash = password_hash($passw
如何在 PHP 中对密码进行哈希处理
2022-09-03 20:38

allway2的博客在此示例中，您将实现一个简单的脚本来自动将旧的、基于 MD5 的哈希转换为使用password_hash()但是...如果登录失败，请检查数据库中的哈希是否是密码的MD5哈希。PHP 支持不同的散列算法，但您通常希望使用默认的一种。
没有解决我的问题, 去提问

悬赏问题

¥15 mars2d在vue3中的引入问题
¥50 h5唤醒支付宝并跳转至向小荷包转账界面
¥15 算法题：数的划分，用记忆化DFS做WA求调
¥15 chatglm-6b应用到django项目中，模型加载失败
¥15 CreateBitmapFromWicBitmap内存释放问题。
¥30 win c++ socket
¥15 C# datagridview 栏位进度
¥15 vue3页面el-table页面数据过多
¥100 vue3中融入gRPC-web
¥15 kali环境运行volatility分析android内存文件，缺profile

简单但安全的密码哈希

4条回答 默认 最新

悬赏问题

4条回答默认最新