mcrypt已被弃用? - 如何在PHP中正确加密和保存密码?

I was told, that php mcrypt is deprecated and I should use a different method to hash and salt my passwords.

This is what I do currently:

public function saveNewUser(array $data) {
  $passwd = $this->mysqli->real_escape_string($datas['passwd']);
  $options = [
      'cost' => 11,
      'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM)
  ];

  $hashed_passwd = password_hash($passwd, PASSWORD_BCRYPT, $options);
  $this->optin_hash = md5(rand());
  //...
  //save user in DB with hashed passwd

Login:

if (password_verify($_POST['user_password'], $result_row->gmw_usr_passwd)) {//do some login stuff}

1.) What is the latest and most secure way to crypt and save a password? Can you give an usage example or link how to save crypt a password correctly and how to verify it for login?

2.) In the php Documentary I read something about password_hash:

password_hash() creates a new password hash using a strong one-way hashing algorithm. password_hash() is compatible with crypt(). Therefore, password hashes created by crypt() can be used with password_hash().

(...)

Warning The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default.

2.a) Is password_hash an alternative to what I used?

2.b) So I don't need to add salt by myself?

2.c) What about that blowfish algorythm I used and all the other steps I added? Are they not neccesary anymore?

2.d) how do I verify the passwords for login, when I use password_hash?

EDIT: Sorry I saw that I already use password_hash (it was a very short coding-night).

As described by Artjom B. I don't need mcrypt (?)

douwei2825
douwei2825 1.不要过盐。只需让password_hash()生成它。2.在其他地方你需要随机性,使用random_bytes()。如果您需要代码来处理PHP5项目,请获取github.com/paragonie/random_compat的副本并将其称为一天。
大约 4 年之前 回复
dongniaoli1822
dongniaoli1822 最好省略salt参数,函数password_hash()将自己生成一个保存。使用mcrypt_create_iv()创建的salt无论如何都不适合BCrypt。
大约 4 年之前 回复
doushan3511
doushan3511 嗯,这取决于你对盐的要求。如果你确实需要一个与默认值不同的特定长度的盐,那么你不能简单地使用默认值,是吗?虽然,默认是完全正常,我认为没有理由不使用它。
大约 4 年之前 回复
donglaoping9702
donglaoping9702 所以我只是删除这个选项?我会改用它:$options=['cost'=>11];
大约 4 年之前 回复
douzha8489
douzha8489 您不需要mcrypt来生成随机字节。OpenSSL扩展具有类似的功能。
大约 4 年之前 回复

1个回答



根据PHP 7.0的PHP文档,新标准方法是使用 password_hash 用于散列原始密码,然后 password_verify ,以验证所提供密码的正确性。</ p>

这些函数是基础知识的包装,如 crypt()并且是推荐的,因为它们会处理你和我永远不会想到的事情,例如选择正确的随机源来生成盐(你不能使用标准rand函数进行加密)。</ p>

来到2b和其他部分,你不需要自己添加盐,因为它是由PHP生成并包含在密码中,所有必要的步骤都是为你完成的。</ p> \ n

您只需要在数据库中保存使用password_hash创建的哈希密码 然后在登录时使用它,使用password_verify将其与用户提供的密码进行比较。</ p>

此外,不推荐使用是mcrypt,因为它不再更新。</ p> \ n </ div>

展开原文

原文

The new standard way, according to PHP documentation for PHP 7.0, is to use password_hash to hash the original password and then password_verify at login time, to verify the correctness of the provided password.

These function are wrappers around the fundamentals, like crypt() and are recommended because they take care of things that you and I will never think about, like choosing the correct source of randomness for generating the salt (you can't use a standard rand function for encryption).

Coming to 2b and the rest, you don't need to add the salt yourself because it generated by PHP and included in the password, and all the necessary steps are done for you.

You just need to save the hashed password, created with password_hash, on the database and then use it, at login time, to compare it with the user-supplied password using password_verify.

Also, yes mcrypt is deprecated, because it's not updated anymore.

douduidui1046
douduidui1046 如果你想继续使用成本,你可以删除关于盐的行,并保留关于成本的那一行。 另外,我不确定你是否知道PASSWORD_BCRYPT实际上是使用了河豚,所以PASSWORD_DEFAULT已经是bcrypt而不是简单的哈希函数,比如md5或sha。 所以你可以使用password_hash($ passwd,PASSWORD_DEFAULT)。
大约 4 年之前 回复
douchenbiao0916
douchenbiao0916 或者我只是使用:password_hash($ passwd),我已经完成了?
大约 4 年之前 回复
dongshen6060
dongshen6060 谢谢你的解释! 正如我上面所说:所以我只是删除这一行:'salt'=> mcrypt_create_iv(22,MCRYPT_DEV_URANDOM)就是这样吗?
大约 4 年之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐