PHPÖеÄÃÜÂë¼ÓÃܵĽâ¾ö·½°¸×ܽá

²a³o²»ÇiµÄÀaËÆʼþ¶ÔÓû§»aÔi³É¾Þ´oµÄÓ°Ïi£¬ÒoΪÈËÃÇÍuÍuÏ°¹ßÔÚ²»Í¬ÍøվʹÓÃÏaͬµÄÃÜÂe£¬Ò»¼Ò¡°±(C)¿a¡±£¬È«²¿ÔaÑe

Ò»°aµÄ½a¾o*½°¸¡£

1¡¢½«Ã÷ÎÄÃÜÂe×oµ¥Ïohash

    $password = md5($_POST["password"]);

2¡¢ÃÜÂe+saltºo×oµ¥Ïohash£¬PHPÄÚÖÃÁËhash()º¯Êý£¬ÄaÖ»ÐeÒª½«¼ÓÃܽʽ´«¸øhash()º¯Êý¾ÍºÃÁË¡£Äa¿ÉÒÔÖ±½ÓÖ¸Ã÷sha256, sha512, md5, sha1µÈ¼ÓÃܽʽ

    <?php

    function generateHashWithSalt($password) {
     $intermediateSalt = md5(uniqid(rand(), true));
     $salt = substr($intermediateSalt, 0, 6);
     return hash("sha256", $password . $salt);
    }
    ?>

µ¥Ïo¹þÏ£Ëa¨ÓÐÒ»¸oÌØÐÔ£¬Îިͨ¹ý¹þÏ£ºoµÄÕªÒª(digest)»Ö¸´Ô­Ê¼Êý¾Ý£¬³£Óõĵ¥Ïo¹þÏ£Ëa*¨°uÀ¨SHA-256£¬SHA-1£¬MD5µÈ¡£ÀýÈ磬¶ÔÃÜÂe¡°passwordhunter¡±½ø ÐÐSHA-256¹þÏ£ºoµÄÕªÒª(digest)ÈçÏ£º
¡°bbed833d2c7805c4bf039b140bec7e7452125a04efa9e0b296395a9b95c2d44c¡±

×¢Òa£º¹¥»÷Õß¿ÉÒÔ½«ËuÓÐÃÜÂeµÄ³£¼u×eºÏ½øÐе¥Ïo¹þÏ££¬µÃµ½Ò»¸oÕªÒª×eºÏ£¬È»ºoÓeÊý¾Ý¿aÖеÄÕªÒª½øÐбȶԼ´¿É»ñµÃ¶ÔÓ¦µÄÃÜÂe¡£Õa¸oÕªÒª×eºÏÒ²±»³ÆΪrainbow table¡£¸uÔa¸aµÄÊÇ£¬Ò»¸o¹¥»÷ÕßÖ»Òª½¨Á¢ÉÏÊoµÄrainbow table£¬¿ÉÒÔÆ¥ÅaËuÓеÄÃÜÂeÊý¾Ý¿a¡£ÈÔÈ»µÈͬÓÚÒ»¼Ò¡°±(C)¿a¡±£¬È«²¿ÔaÑe

*±È½ÏºÃµÄ½a¾o½°¸**

Bcrypt

    <?php
    function generateHash($password) {
     if (defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH) {
      $salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
      return crypt($password, $salt);
     }
    }
    ?>

Bcrypt Æaʵ¾ÍÊÇBlowfishºÍcrypt()º¯ÊýµÄ½aºÏ£¬ÎÒÃÇÕaÀiͨ¹ýCRYPT_BLOWFISHÅжÏBlowfishÊÇñ¿ÉÓã¬È»ºoÏñÉÏÃaeÒ»ÑuÉu³ÉÒ»¸oÑÎÖµ£¬²»¹ýÕaÀiÐeҪעÒaµÄÊÇ£¬crypt()µÄÑÎÖµ±ØÐeÒÔ2a2a»oÕß2y2y¿ªÍ£¬Ïeϸ×ÊÁÏ¿ÉÒԲο¼ÏÂÃaeµÄÁ´½Ó£º

http://www.php.net/security/crypt_blowfish.php

http://php.net/manual/en/function.crypt.php

Password Hashing API

Password Hashing APIÊÇPHP 5.5Ö®ºo²ÅÓеÄÐÂÌØÐÔ£¬ËuÖ÷ÒªÊÇÌa¹(C)ÏÂÃae¼¸¸oº¯Êý¹(C)ÎÒÃÇʹÓÃ

password_hash() ¨C ¶ÔÃÜÂe¼ÓÃÜ.
password_verify() ¨C ÑeÖ¤ÒѾ­¼ÓÃܵÄÃÜÂe£¬¼iÑeÆahash×Ö´®ÊÇñÒ»ÖÂ.
password_needs_rehash() ¨C ¸øÃÜÂeÖØмÓÃÜ.
password_get_info() ¨C µ»Ø¼ÓÃÜËa*¨µÄÃu³ÆºÍÒ»Ð(C)Ïa¹ØÐÅÏ¢.

ËaȻ˵crypt()º¯ÊýÔÚʹÓÃÉÏÒÑ×a¹»£¬µ«ÊÇpassword_hash()²»½o¿ÉÒÔʹÎÒÃǵĴuÂe¸u¼Ó¼o¶Ì£¬¶øÇÒ»¹ÔÚ°²È«½Ãae¸øÁËÎÒÃǸuºÃµÄ±£ÕÏ£¬ËuÒÔ£¬ÏÖÔÚPHPµÄ¹Ù½¶¼ÊÇÍƼoÕaÖֽʽÀ´¼ÓÃÜÓû§µÄÃÜÂe£¬ºÜ¶aÁ÷ÐеĿo¼Ü±ÈÈçLaravel¾ÍÊÇÓõÄÕaÖÖ¼ÓÃܽʽ

    <?php
    $hash = password_hash($passwod, PASSWORD_DEFAULT);?>

PASSWORD_DEFAULTĿǰʹÓõľÍÊÇBcrypt£¬×iºÃµÄ»¹ÊÇPassword Hashing API¡£ÕaÀiÐeҪעÒaµÄÊÇ£¬Èç¹uÄa´uÂeʹÓõĶ¼ÊÇPASSWORD_DEFAULT¼ÓÃܽʽ£¬ÄÇôÔÚÊý¾Ý¿aµÄ±iÖУ¬password×ֶξ͵ÃÉeÖó¬¹ý60¸o×Öu³¤¶È£¬ÄaÒ²¿ÉÒÔʹÓÃPASSWORD_BCRYPT£¬Õa¸oʱºo£¬¼ÓÃܺo×Ö´®×ÜÊÇ60¸o×Ö*u³¤¶È¡£

ÕaÀiʹÓÃpassword_hash()ÄaÍeÈ«¿ÉÒÔ²»Ìa¹(C)ÑÎÖµ(salt)ºÍ ÏuºÄÖµ (cost)£¬Äa¿ÉÒÔ½«ºoÕßÀi½aΪһÖÖÐÔÄܵÄÏuºÄÖµ£¬costÔ½´o£¬¼ÓÃÜËa*¨Ô½¸´ÔÓ£¬ÏuºÄµÄÄÚ´aeÒ²¾ÍÔ½´o¡£µ±È»£¬Èç¹uÄaÐeÒªÖ¸¶¨¶ÔÓ¦µÄÑÎÖµºÍÏuºÄÖµ£¬Äa¿ÉÒÔÕaÑuд

    <?php
    function custom_function_for_salt(){
     return $salt = '$2y$11$' . substr(md5(uniqid(rand(), true)), 0, 22);
    }

    $password =123456;

    $options = [
     'salt' => custom_function_for_salt(), //write your own code to generate a suitable salt
     'cost' => 12 // the default cost is 10
    ];
    $hash = password_hash($password, PASSWORD_DEFAULT, $options);
    echo $hash;
    ?>

ÃÜÂe¼ÓÃܹýºo£¬ÎÒÃÇÐeÒª¶ÔÃÜÂe½øÐÐÑeÖ¤£¬ÒÔ´ËÀ´ÅжÏÓû§ÊaÈeµÄÃÜÂeÊÇñÕýÈ

    <?php
    if (password_verify($password, $hash)) {
     // Pass
    }
    else {
     // Invalid
    }

Ö±½ÓʹÓÃpassword_verify¾Í¿ÉÒÔ¶ÔÎÒÃÇ֮ǰ¼ÓÃܹýµÄ×Ö*u´®£¨´aeÔÚÊý¾Ý¿aÖУ(C)½øÐÐÑeÖ¤ÁË

Èç¹uÓÐʱºoÎÒÃÇÐeÒª¸u¸ÄÎÒÃǵļÓÃÜ*½Ê½£¬ÈçijһÌiÎÒÃÇͻȻÏe¸u»»Ò»ÏÂÑÎÖµ»oÕßÌa¸ßÒ»ÏÂÏuºÄÖµ£¬ÎÒÃÇÕaʱºo¾ÍҪʹÓõ½password_needs_rehash()º¯ÊýÁË

    <?php
    if (password_needs_rehash($hash, PASSWORD_DEFAULT, ['cost' => 12])) {
     // cost change to 12
     $hash = password_hash($password, PASSWORD_DEFAULT, ['cost' => 12]);

     // don't forget to store the new hash!
    }

Ö»ÓÐÕaÑu£¬PHPµÄPassword Hashing API²Å»aÖªµÀÎÒÃÇÖØÏÖ¸u»»Á˼ÓÃÜ*½Ê½£¬ÕaÑuµÄÖ÷ҪĿµÄ¾ÍÊÇΪÁ˺oÃaeµÄÃÜÂeÑeÖ¤£¬password_get_info()£¬Õa¸oº¯ÊýÒ»°a¿ÉÒÔ¿´µ½ÏÂÃaeÈý¸oÐÅÏ¢

algo ¨C Ëa¨ÊµÀý
algoName ¨C Ëa¨Ãu×Ö
options ¨C ¼ÓÃÜʱºoµÄ¿ÉÑ¡²ÎÊý

ÒÔÉϾÍÊDZ¾ÎĵÄÈ«²¿ÄÚÈÝ£¬Ï£Íu¶Ô´o¼ÒµÄѧϰÓÐËu°iÖu£¬Ò²Ï£Íu´o¼Ò¶a¶aÖ§³Ö½Å±¾Ö®¼Ò¡£