我應該如何使用PHP哈希我的密碼？

Question

可能重複：
Secure hash and salt for PHP passwords

我試圖創建一個哈希我用haval160,4散列算法鹽密碼的功能。但我不明白這是安全。我提供以下代碼：

請讓我知道如何改進安全系統。

<?php  
defined("SALT")? NULL : define("SALT", "abcdefthijklmnopqursuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*/\|[]{}()~!@#$%^&*_+:.,;1234567890"); 

function createSalt(){ 
     static $random_string; 
     for($i=0;$i<64;$i++){ 
      $random_string .= substr(str_shuffle(SALT), 0,25); 
     } 
    return $random_string; 
} 

global $salts;// I want to store the salt value into my database with password 
$salt = createSalt(); 
$salts = $salt;//I keep this cause I will check the matching password without database 

function createPassword($input_data,$salt){ 
    static $hash; 
    $cryc = crypt($input_data,$salt); 

     $hash = hash("haval160,4",$cryc); 

    return $hash; 
} 

$password = createPassword("123456",$salt); 
$stored_password = $password ; // I stored value into a variable cause I want to test without database 
//echo $password.'<hr>'; 

echo "Your Password: ".$password; 
echo "<br/> Your SALT VALUE: ".$salt.'<hr>'; 

function checkPassword($uid,$password,$salts,$stored_password){//this is just a test function... actual function don't require $salts and $stored_password 
    $db_uid = 1 ; 
    if($uid === $db_uid){ 

     $db_salt = $salts; 

     $db_password = createPassword($password,$db_salt); 
     if($db_password == $stored_password){ 
      echo "Password Match"; 
     }else{ 
      echo"password don't match"; 
     } 

    } 

} 

checkPassword(1,"123456",$salts,$stored_password); 

?> 

Answer 1

您不應該設計自己的加密算法。

使用此bcrypt執行：http://www.openwall.com/phpass/

require '../PasswordHash.php'; 
$hasher = new PasswordHash($hash_cost_log2=2, $hash_portable=false); // increase the first parameter if you need it to be slower (more secure) 

// Create hash 
$hash = $hasher->HashPassword($pass); 

// Check password 
$hasher->CheckPassword($pass, $hash); 

這是安全的，因爲你可以得到的，不費心尋找的東西「更安全」，而不要試圖鹽或其他任何東西添加到它。