如何在登录时使用salt和hash？

I want to use salt and hash to create security login. I try to follow this tutorial and write own code but it always return false. Here is my code:

require_once 'application/third_party/Secure-Login/classes/Hashing.php';
require_once 'application/third_party/Secure-Login/classes/Salt.php';
$password = Hashing::create_hash('123456', Salt::random(12));
$old = '$2a$10$zuzycDw3Ack2cCoL3ds1sudJ2WioZ87.75ErLZVcZyh4d1hS2rHFu';

if (Hashing::validate($password, $old, Salt::random(12))) {
    echo true;
} else {
    echo false;
}

And two classes I included:

<?php

class Hashing {

    function __construct() {}

    /**
    * @param string $pass The user submitted password
    * @param string $hashed_pass The hashed password pulled from the database
    * @param string $salt The salt pulled from the database
    * @param string $hash_method The hashing method used to generate the hashed password
    */
    static function validate($pass, $hashed_pass, $salt, $hash_method = 'sha1') {
        if (function_exists('hash') && in_array($hash_method, hash_algos())) {
            return ($hashed_pass === hash($hash_method, $salt . $pass));
        }
        return ($hashed_pass === sha1($salt . $pass));
    }

    /**
     * Generates a secure, pseudo-random password with a safe fallback.
     */
    static function pseudo_rand($length) {
        if (function_exists('openssl_random_pseudo_bytes')) {
            $is_strong = false;
            $rand = openssl_random_pseudo_bytes($length, $is_strong);
            if ($is_strong === true) {
                return $rand;
            }
        }
        $rand = '';
        $sha = '';
        for ($i = 0; $i < $length; $i++) {
            $sha = hash('sha256', $sha . mt_rand());
            $chr = mt_rand(0, 62);
            $rand .= chr(hexdec($sha[$chr] . $sha[$chr + 1]));
        }
        return $rand;
    }

    /**
     * Creates a very secure hash. Uses blowfish by default with a fallback on SHA512.
     */
    static function create_hash($string, $salt = '', $hash_method = 'sha1', $stretch_cost = 10) {
    $salt = Hashing::pseudo_rand(128);
    $salt = substr(str_replace('+', '.', base64_encode($salt)), 0, 22);
    if (function_exists('hash') && in_array($hash_method, hash_algos())) {
            return crypt($string, '$2a$' . $stretch_cost . '$' . $salt);
    }
    return Hashing::_create_hash($string, $salt);
    }

    /**
     * Fall-back SHA512 hashing algorithm with stretching.
     */
    static function _create_hash($password, $salt) {
        $hash = '';
        for ($i = 0; $i < 20000; $i++) {
            $hash = hash('sha512', $hash . $salt . $password);
        }
        return $hash;
    }

}

<?php

class Salt {

    public static function random($len = 8) {
    $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789`~!@#$%^&*()-=_+';
    $l = strlen($chars) - 1;
    $str = '';
    for ($i = 0; $i < $len; ++$i) {
            $str .= $chars[rand(0, $l)];
    }
    return $str;
    }

}

Please check help me! I don't know where is wrong and how it works. Thank so much!

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

3条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
doudeng9425 2015-05-08 11:11
关注
There are many problems with your code, so i strongly suggest to use the functions password_hash() and password_verify() to do the hashing.

Because you said that you want to understand how it works, here some tips:

static function create_hash($string, $salt = '', $hash_method = 'sha1', $stretch_cost = 10) { $salt = Hashing::pseudo_rand(128); $salt = substr(str_replace('+', '.', base64_encode($salt)), 0, 22); if (function_exists('hash') && in_array($hash_method, hash_algos())) { return crypt($string, '$2a$' . $stretch_cost . '$' . $salt); } return Hashing::_create_hash($string, $salt); }

This method first tries to use crypt() which is good, because it generates a BCrypt hash. The cost parameter will fail if it is smaller than 10, and the salt can be generated unsafe, and it uses ways too much entropy from the pool. Then it checks whether the hash() functions exists but this function is not at all made to hash passwords and has nothing to do with crypt().

Later for verification you do not use crypt(), instead you check with the hash() function, this is a different algorithm as before. Then the salt cannot be choosen freely to verify a password, instead you need the same salt that was used to generate the hash, the crypt() function actually did include this salt in the hash-value.

static function validate($pass, $hashed_pass, $salt, $hash_method = 'sha1') { if (function_exists('hash') && in_array($hash_method, hash_algos())) { return ($hashed_pass === hash($hash_method, $salt . $pass)); } return ($hashed_pass === sha1($salt . $pass)); }

If you want to learn a bit more about password hashing, i would invite you to read my tutorial about secure password storing.
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(2条)

报告相同问题？

关注问题

如何在登录时使用salt和hash？ php
2015-05-08 04:08

回答 3 已采纳 There are many problems with your code, so i strongly suggest to use the functions password_hash()
使用salt / password / hash进行密码验证时出现问题 php
2014-04-22 16:39

回答 1 已采纳 I suspect you run into one of those two problems: The database field for the hashed password is
如何使用libsodium php使用salt加密/解密密码 php
2017-05-23 09:59

回答 2 已采纳 If you dont need specifically use libsodium, with this function you should be able to store the da
php crypt salt,了解PHP password_hash使用的bcrypt salt
2021-04-17 02:56

RachelEP的博客 Problem 1: What is the correct salt ...All sources I found say, that the salt has a length of 22 and that it is stored together with the algorithm, the costs and the actual hash value in the resul...
在Bcrypt之前使用512-hash？ php
2012-06-30 17:14

回答 4 已采纳 Actually the answer has to be no, it doesn't make the hash significant stronger in a cryptographic
如何使用CRYPT_SHA512增加crypt PHP API的salt长度？ php
2016-05-14 04:11

回答 1 已采纳 Two questions immediately come to mind: Why are you using CRYPT_SHA512 instead of CRYPT_BLOWFISH
可以安全地在数据库触发器中创建哈希和salt吗？ mysql php
2014-02-05 04:20

回答 1 已采纳 The best way would be to use a PHP function that hashes the password for you. If you have PHP =&g
php中写salt,PHP密码加盐salt Hash思路
2021-04-10 10:51

SW_孙维的博客加盐Hash：$salt=base64_encode(mcrypt_create_iv(32,MCRYPT_DEV_RANDOM));$password=sha1($register_password.$salt);解释:首先使用mcrypt，产生电脑随机生成的，专门用户加密的随机数函数。第二步，把得到的随机数...
PHP crypt（）函数的salt参数和返回值如何工作？ php
2011-08-23 23:07

回答 2 已采纳 The output of crypt consists of: (optionally an algorithm identifier + load factor) the salt for
如何使用CakePHP哈希算法和SALT编写用于在CakePHP网站数据库中为MySQL生成加密密码的SQL语句？ mysql php
2015-10-17 17:15

回答 1 已采纳 The most portable way would be to add the 'secret' function & view to your User controller as you
如何在PHP中使用带有password_hash（）的BCRYPT php
2017-03-24 06:30

回答 2 已采纳 The whole idea behind password_hash() is to always use an up-to-date hashing algorithm. Currently,
php hash生成,PHP的password_hash如何生成盐？
2021-04-10 10:16

茶未凉人已散的博客你好,你可能知道PHP最近推出了password_hash内置的最新版本.文件说：If omitted, a random salt will be created and the default cost will be used.问题是它添加盐的方法是什么？我很感兴趣,因为我想知道盐是否是...
如何在数据库中存储为散列创建的salt？ mysql php
2012-04-22 07:00

回答 1 已采纳 Usually, the salt is stored with the password hash, either in the same column or in an adjacent co
php hash 文件,php对文件进行hash运算
2021-03-24 13:51

love彤彤的博客 private function hash($salt, $password){ return bin2hex(hash("sha51将给定的明文密码通过加"盐"(干扰码)后，再经过哈希算法的sha512算法结果与哈希算法whirlpool算法的两个值进行与运算，将结果返回。...
php password_hash和password_verify
2018-12-24 10:15

ljwy1234的博客 password_hash() 兼容 crypt()。所以， crypt() 创建的密码散列也可用于 password_hash()。当前支持的算法： PASSWORD_DEFAULT - 使用 bcrypt 算法 (PHP 5.5.0 默认)。注意，该常量会随着 PHP 加入更新更高...
没有解决我的问题, 去提问

悬赏问题

¥15 C#算法问题, 不知道怎么处理这个数据的转换
¥15 YoloV5 第三方库的版本对照问题
¥15 请完成下列相关问题！
¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像，如何解决？
¥15 求daily translation（DT）偏差订正方法的代码
¥15 js调用html页面需要隐藏某个按钮
¥15 ads仿真结果在圆图上是怎么读数的
¥20 Cotex M3的调试和程序执行方式是什么样的？
¥20 java项目连接sqlserver时报ssl相关错误
¥15 一道python难题3

如何在登录时使用salt和hash？

3条回答 默认 最新

悬赏问题

3条回答默认最新