password security in PHP

 

What method would you call safest and most secure? I took these snippets off php.net. I'm just wondering because people posted their own and I just couldn't catch on to understand why some are the way they are... Can someone help me out and tell me a little more about these? Which would be the most secure and why?

1. 

<?php
$hash = md5($salt1.$password.$salt2);
?>

2. 

<?php
function eliteEncrypt($string) {
    // Create a salt
    $salt = md5($string."%*4!#$;.k~'(_@");

    // Hash the string
    $string = md5("$salt$string$salt");

    return $string;
}
?>

3. 

<?php
define ('SALT_ONE', 'some_random_123_collection_&$^%_of_stuff');
define ('SALT_TWO', 'another_random_%*!_collection_ANbu_of_stuff');

$password = 'dragon';

function generate_encrypted_password($str) {
$new_pword = '';

if( defined('SALT_ONE') ):
   $new_pword .= md5(SALT_ONE);
endif;

$new_pword .= md5($str);

if( defined('SALT_TWO') ):
   $new_pword .= md5(SALT_TWO);
endif;

return substr($new_pword, strlen($str), 40);
}

echo generate_encrypted_password($password);
?>

4. 

<?
function enchsetenev($toencode,$times)
{
    $salt = 's+(_a*';
    for($zo=0;$zo<$times;$zo=$zo+1)
    {
        $toencode = hash('sha512',salt.$toencode);
        $toencode = md5($toencode.$salt);
    }
    return $toencode;
}

?>

5. 

<?php
$hash = $password . $salt;

for ( $i = 0; $i < 10000; $i++ ) {
  $hash = md5( $hash );
}

echo $hash;
?>
  • It is a basic example of what we want, a salt added to the password
  • It is the same example but with the salt generation part.
  • A different method for salting, but still pretty equivalent
  • There's absolutely no point in this over complicated example, hashing with two different hash method many times absolutely don't improve security.
  • Like already said, there's absolutely no point to perform 10000 times a hash.

    • If you change the first example to : 

    <?php
  $hash = hash('sha256', $salt1.$password.$salt2);
?>

    this will be secure enough for 99% of the application.

    The only question is how to generate the salt. I recommend a fixed salt ($salt2) and on salt generated for each user ($salt1) which is stored in the database along the password.

    This way you're pretty secure against rainbow table attack even if someone retrieves the content of your database.

    更好的选择是使用md5以外的东西,请在这里查看以前回答的与此相关的问题。

    there is no standard good answer for this. What I do know is that security and speed has to be balanced. You could AES encrypt every information but would that be feasible? To answer your question MD5 (which is one way encrypt) plus SALT (a really random string) is considered a good standard of security. It just happens to be fastest and secure enough.

    If you try to implement your own encryption and what not it will be like that magic trick where you entangle the wire too many times and yet it comes undone with wrist slap. So go for SALT+MD5 unless you want to theorize and thesis-fy the idea.

    链接地址: http://www.djcxy.com/p/51412.html

    上一篇: 如何在C中手动将十进制值转换为十六进制字符串?

    下一篇: PHP中的密码安全性