问题描述

我一直在使用PHP的 crypt（）作为在我的数据库中存储和验证密码的方法。我使用散列的其他东西，但 crypt（）的密码。文件不是很好，似乎有很多争议。我使用河豚和两种盐密封密码并将其存储在数据库中。在我存储盐和加密的密码之前（像一个盐渍的哈希），但实现了它的冗余，因为盐是加密的密码字符串的一部分。

I've been using PHP's crypt() as a way to store and verify passwords in my database. I use hashing for other things, but crypt() for passwords. The documentation isn't that good and there seems to be a lot of debate. I'm using blowfish and two salts to crypt a password and store it in the database. Before I would store the salt and the encrypted password, (like a salted hash) but realized its redundant because the salt is part of the encrypted password string.

我是有点迷惑于彩虹表攻击如何在 crypt（）上工作，无论如何，从安全的角度来看，这看起来是正确的。我使用第二个盐附加到密码来增加短密码的熵，可能是过度的，但为什么不呢？

I'm a little confused on how rainbow table attacks would work on crypt(), anyway does this look correct from a security standpoint. I use a second salt to append to the password to increase the entropy of short passwords, probably overkill but why not?

function crypt_password($password) {
if ($password) {
    //find the longest valid salt allowed by server
    $max_salt = CRYPT_SALT_LENGTH;

    //blowfish hashing with a salt as follows: "$2a$", a two digit cost parameter, "$", and 22 base 64
    $blowfish = '$2a$10$';

    //get the longest salt, could set to 22 crypt ignores extra data
    $salt = get_salt ( $max_salt );

    //get a second salt to strengthen password
    $salt2 = get_salt ( 30 ); //set to whatever


    //append salt2 data to the password, and crypt using salt, results in a 60 char output
    $crypt_pass = crypt ( $password . $salt2, $blowfish . $salt );

    //insert crypt pass along with salt2 into database.
    $sql = "insert into database....";

    return true;
    }
}


function get_salt($length) {
$options = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';

$salt = '';

for($i = 0; $i <= $length; $i ++) {
    $options = str_shuffle ( $options );
    $salt .= $options [rand ( 0, 63 )];
}
return $salt;
}

function verify_password($input_password)
{
if($input_password)
{
    //get stored crypt pass,and salt2 from the database
    $stored_password = 'somethingfromdatabase';
    $stored_salt2 = 'somethingelsefromdatabase';

    //compare the crypt of input+stored_salt2 to the stored crypt password
    if (crypt($input_password . $stored_salt2, $stored_password) == $stored_password) {
        //authenticated
        return true;
    }
    else return false;
}
else return false;
}

推荐答案

你真的应该看看在PHPASS：这是使用密码的密码哈希框架（）用于Wordpress和phpBB等项目。

You really should have a look at PHPASS: http://www.openwall.com/phpass/ It's a password hashing framework using crypt() which is used in projects like Wordpress and phpBB.

本网站还有一篇关于密码散列，盐析和拉伸使用crypt（）的优秀文章：

There is also an excellent article on this website about password hashing, salting and stretching using crypt(): http://www.openwall.com/articles/PHP-Users-Passwords

更新：
目前PHPASS库有一种替代方法。在下一个版本的PHP中，有一些特殊功能用于散列和验证密码（使用bcrypt）：。有一个兼容性库可以实现PHP 5.3.7+的这些功能：

UPDATE:Currently there's an alternative for the PHPASS library. In the next version of PHP there are special functions for hashing and verifying passwords (using bcrypt): http://www.php.net/manual/en/ref.password.php. There is a compatibility library that implements these functions for PHP 5.3.7+: https://github.com/ircmaxell/password_compat

这篇关于我正在使用PHP的crypt（）函数吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！