问题
What is the best way to store login information into database? I know that storing plane text password is not at all suggested. What are the other methods? What functions in PHP are available for storing and authentication of login information if hash values of the password is used?
I am using PHP, MySQL, Apache server on Windows machine.
回答1:
There are two camps in this security discussion:
Don't store the passwords in your DB. This usually means leveraging OAuth or equivalent. You will need to store a 'token' that uniquely identifies the user. This 'token' is provided by the authentication service that you select. The service also provides the authentication.
Store a hash (not reversible) transformation of the password in the DB. Then the authentication process is to compare the hashed version of the provided pword with the one in the DB.
There are complexities that should be considered depending upon your security consideration. I think the minimum should be a salted password implementation. This is typically something like:
$hash = sha1(saltThePword($pword));
where
function saltThePword($pword)
{
// combine the password with a salt.
// typically:
// $pword.$salt
// $salt can be static
// $salt can be unique to user (reproducible by a formula)
}
Hope this helps.
Bob
回答2:
PHP gives you md5(), sha1(), and more. A typical hashing technique is to add a "salt" to your plain text password to make it more difficult to brute force.
$pass = 'password';
$salt = 'aLongStringCalledASaltIsOftenUsedToMakeHashingMoreSecure';
$hash = sha1(md5($salt . $pass));
回答3:
Save password like string md5('password') and when u will be check user authorization u use a query
$res = mysql_query("SELECT id, login, name FROM user WHERE login='".mysql_real_escape_string($login)."' AND password='".md5($password)."'");
回答4:
I like using sha2 for my encryption algorithm, also make sure your salt is in a safe place and not in your database under a column or table named salt.
来源:https://stackoverflow.com/questions/6709775/methods-for-storing-login-information-in-database