Best way to make and store SALT

2018-05-30 06:22:10

This question already has an answer here:

The definitive guide to form-based website authentication [closed] 12 answers

PHP now has built-in password_hash and password_verify functions that use the industry-standard bcrypt algorithm. Use them - they manage the salt for you.

If you're stuck on PHP 5.4 or lower, there's a backport: https://github.com/ircmaxell/password_compat

As you say, the point of the salt is not to be an additional secret. The password is the secret. The password needs to be strong. If the password isn't strong it doesn't matter how it's hashed, it can be guessed directly on the login form without any attack on the hash. The point of the salt is solely what you say yourself:

Same hash for same password

The only purpose the salt has is to force a potential attacker to brute force every single password individually and not allow the attacker any economies of scale. It doesn't make any one single individual password stronger, but it makes all passwords together absolutely infeasible to brute force.

As such:

hardcoded salt: no

random salt: yes, your "disadvantages" are wrong

salt based on input: no, that's not a salt, it's just an altered hashing algorithm

In PHP, use password_hash , which generates the salt and stores it in the hash result, so you don't have to worry about it separately.

链接地址: http://www.djcxy.com/p/3718.html

上一篇: 我怎样才能把这个变成一个安全登录？

下一篇: 制作和储存盐的最佳途径