Answer the question
In order to leave comments, you need to log in
V
V
Vanka2020-11-25 23:57:39
Vanka, 2020-11-25 23:57:39
What is the best way to protect the password?
There are such functions
function pass_hash($pwd) {
$salt = bin2hex(random_bytes(8));
return hash_pbkdf2('sha512', $pwd, $salt, 7826, 84).$salt;
}
function pass_verify($pwd, $hash) {
$salt = substr($hash, -16);
$hash2 = hash_pbkdf2('sha512', $pwd, $salt, 7826, 84);
return strcmp(substr($hash, 0, 84), $hash2) === 0;
}And there are built in php
password_hash()
password_verify()Are the first functions better at protecting passwords when hacked?
5 answer(s)
@planchek
@Rsa97
@ThunderCat
@SilenceOfWinter
@xmoonlight
F
FanatPHP, 2020-11-26 @planchek
The first option, of course, is nothing at all.
There are three attack vectors for passwords: rainbow tables, brute force, and dictionary guessing.
Salt protects from the first, algorithm from the second, password complexity from the third.
We're talking about an algorithm here. That is, about burtforse. What is bruteforce? This is stupid substitution of random combinations of characters in turn and checking if the hash matches. The faster the hash is calculated, the faster the password cracks.
THEREFORE , the key characteristic of a hash for passwords is the difficulty of calculating it .
Your sha-pitsot-twelve spit out a hundred times - this is for modern technology like a sparrow sneezed. And even more so for the future.
Therefore, smart people have come up with algorithms that, firstly, calculate each hash much more slowly, and secondly, they adapt to the growing speed of processors, and tell you when it's time to complicate the algorithm. This is exactly what the built-in functions do, and that's why you should use them.
R
Rsa97, 2020-11-26 @Rsa97
https://www.php.net/manual/en/function.hash-pbkdf2.php
Caveat
The PBKDF2 method can be used to hash passwords for storage purposes. However, it is worth remembering that for these purposes it is much better to use password_hash() or crypt() with CRYPT_BLOWFISH.
T
ThunderCat, 2020-11-26 @ThunderCat
I understand that in a hammock and standing is more interesting, but still - 2 questions: Why the hell?
A
Anton Shamanov, 2020-11-26 @SilenceOfWinter
`password_...` is at least easier to use, but in general it doesn’t matter if you fix unsuccessful login attempts and block input for 5 seconds
X
xmoonlight, 2020-11-26 @xmoonlight
One in which the password itself is never sent from the front to the back.
Only its hash is always sent.
Then, this hash is hashed again by the built-in functions based on the previous (front hash) or any other information available only to the script, but not available to the database.
That is, we evenly distributed the load on the front and back to create a nested (two-level) hash.
When trying to pick up a password by brute force, you will have to select the already quadratic hashing complexity of an already slow (brute-resistant) hashing algorithm.
To reduce collisions, front key encryption can also be used on the back (instead of hashing), but this is a very expensive computational operation.
Similar questions
R
S
M
S
Sergey2015-05-13 21:19:17
How and how to split a webm file into several working parts in linux?
2Reply
D
Dmitry2015-05-19 23:34:41
A book on C-C++ where is the description of the language with analogies?
5Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question