douya7282 2012-02-03 04:59
浏览 51
已采纳

PHP中的哈希和安全措施

I have read about how to implement security into a website using hashing, and I am not creating something terribly sensitive like a bank or storing credit cards. I would, however, like to know the best practices. My site has a TLS cert with AES 256

Main issues:

1.) Sending the hashed password hashed again through the session seems to be the only way I can think of to keep the session fairly secure. In my opinion, I don't really care if the user finds that value, but I would care if the user found some way to see the database and knew exactly what my encryption algo was.

2.) Should I just completely take out my algorithm prior to hashing the password, or should I use different hashing methods?

Is it okay to use sha512 prior or after bcrypt, since both of these are sound as far as collisions and brute force?

  • 写回答

1条回答 默认 最新

  • drgc9632 2012-02-03 05:14
    关注

    Personally I just SHA512 passwords for storage and comparison upon login, and for session tracking I store a key of hash('sha512', $username.$salt.$password);, this key is stored in the session and compared against the user's key in the database to authenticate their session.

    I've yet to come across any security issues with this, it shouldn't be possible to forge a key unless you know the user's username, password and their user salt (which obviously should not be stored in the database) so it should be secure as long as someone doesn't get access to both your database and your code (in which case you've got bigger issues than protecting user passwords ;))

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?
  • ¥15 c++头文件不能识别CDialog