douzhang6176 2012-03-28 17:35
浏览 41
已采纳

你如何添加,“舍入”到像hash_hmac()这样的函数?

I have read from this article http://codahale.com/how-to-safely-store-a-password/ and it says using a salt isn't even safe against GPU brute force attacks. I don't want to get hacked and have passwords decrypted in a few weeks... So I read some more and the solution was bcrypt however I don't want to implement the phpass class, I like SHA-512.

However if one can add rounds to sha-512 to slow down GPU attacks... how can that be done? Does rounds mean iterations?

How do you add rounds to slow down sha512?

  • 写回答

2条回答 默认 最新

  • dsaf415212 2012-03-28 17:53
    关注

    One of the most secure ways for storing password that I found is following:

    <?php    
function createPasswordSalt($saltLength = 20) {
    return substr(md5(uniqid(rand(), true)), 0, $saltLength);
}

function createPasswordHash($password, $salt = null, $staticKey = null) {
    if ($staticKey === null) {
        $staticKey = "Some passphrase that will be only in your php script";
    }

    if ($salt === null) {
        $salt = self::createPasswordSalt(); 
    }       

    return hash_hmac('sha512', $password . $salt, $staticKey);

}

    And I store in database password and hash...

    So here I have used multiple layers of security. And one can only hack your passwords if he get your database and php scripts together. In any case if the hacker has your scripts he can hack any password you have in your database as he knows the scheme that you use for hashing passwords.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号
  • ¥15 基于单片机的靶位控制系统
  • ¥15 真我手机蓝牙传输进度消息被关闭了,怎么打开?(关键词-消息通知)
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度