问题
I am using sha1 function to store my password in mysql DB..
$passwordHash = sha1($password);
From google I got this From user registration
sha1( sha1(users_plaintext_password)+random string )
To check
server computes sha1( users_hashed_password_in_database +
$_SESSION['random_string'] )
if $_POST['password'] ==
sha1( users_hashed_password_in_database + $_SESSION['random_string'] )
My question is how do I check for validation?Is this the correct method?? And does using some random string as salt give my password more protection??
回答1:
I would do it as follows:
$seed = 'some random string';
$passwordHash = sha1($password.$seed);
Then do the same with data entered by the user:
$pass = $_POST['password'];
if(sha1($pass.$seed) == $passwordHash){
//log user in
}
The seed is a good idea, because users often pick passwords that are easy to guess. Another advantage is that you may be able to restore security to your site by changing the seed if someone manages to hack their way in.
来源:https://stackoverflow.com/questions/16177209/basic-mysql-sha1-password-valid-check