PHP中的哈希和安全措施
I have read about how to implement security into a website using hashing, and I am not creating something terribly sensitive like a bank or storing credit cards. I would, however, like to know the best practices. My site has a TLS cert with AES 256
Main issues:
1.) Sending the hashed password hashed again through the session seems to be the only way I can think of to keep the session fairly secure. In my opinion, I don't really care if the user finds that value, but I would care if the user found some way to see the database and knew exactly what my encryption algo was.
2.) Should I just completely take out my algorithm prior to hashing the password, or should I use different hashing methods?
Is it okay to use sha512 prior or after bcrypt, since both of these are sound as far as collisions and brute force?
我已经阅读过有关如何使用散列将安全性实现到网站中的方法,而且我没有创建像 银行或存储信用卡。 但是,我想知道最佳做法。 我的网站有一个带有AES 256的TLS证书 p>
主要问题: p>
1。)通过会话再次发送哈希密码哈希似乎是 只有这样我才能想到保持会话相当安全。 在我看来,我并不关心用户是否发现了这个值,但我会关心用户是否找到了一些方法来查看数据库并确切知道我的加密算法是什么。 p>
2.。)我应该在散列密码之前完全取出算法,还是应该使用不同的散列方法? p>
在bcrypt之前或之后使用sha512是否可以,因为这些都是碰撞和蛮力的声音? p> div>
Personally I just SHA512 passwords for storage and comparison upon login, and for session tracking I store a key of hash('sha512', $username.$salt.$password);, this key is stored in the session and compared against the user's key in the database to authenticate their session.
I've yet to come across any security issues with this, it shouldn't be possible to forge a key unless you know the user's username, password and their user salt (which obviously should not be stored in the database) so it should be secure as long as someone doesn't get access to both your database and your code (in which case you've got bigger issues than protecting user passwords ;))