Shulou(Shulou.com)06/01 Report--

Keeping plaintext passwords in the database is a very unwise choice, and its harm is self-evident.

Instead of discussing the shortcomings of plaintext passwords, we will only talk about how to save passwords securely.

The basic security measures are as follows:

1. Set the minimum number of password digits

two。 Encrypt and save the user's password

3. Change the password through an one-time link to reset the password

4. You can only get reset messages three times a day with the same IP or mac address.

5. The user needs to enter the original password when changing the password

6. Send SMS / email reminders after the user information has been modified

Of course, safer measures can also be taken:

7. Login of infrequent devices requires SMS verification (SMS platform is required)

8. Set security question and answer information

9. Record the wrong login request information and reject the login attempt after many errors

Item 1: encryption and preservation of passwords

Generally speaking, md5 is the most commonly used and simplest method, but it is also the one with the most cracking methods.

Password Hashing API is provided in php 5.5 and above, which is very convenient to solve the problem of password encryption.

Http://tw2.php.net/manual/zh/ref.password.php

Password encryption

Note that manually setting the salt value is not recommended here, and this option has been disabled in php7.

The second parameter in password_hash is the setting of the algorithm, and there are two options:

The default is PASSWORD_DEFAULT, and the current algorithm is bcrypt, but this algorithm will be updated with the update of the php version. It is recommended that the database field be set to char.

PASSWORD_BCRYPT, the algorithm is also bcrypt, (the manual says CRYPT_BLOWFISH, in fact, crypt () uses the CRYPT_BLOWFISH algorithm), the result is always 60 strings, and the field is set to char (60).

To put it simply, password_hash encapsulates bcrypt and will improve the algorithm used with future updates. At this stage, bcrypt is secure enough.

-

By the way, explain what cost (consumption) and salt (salt value) are.

Cost: consumption-- is used to deal with violent cracking. with the continuous improvement of computer speed, we can keep a computer unturned off for decades to crack a password, so we artificially add a consumption value to slow down the computer algorithm a little bit, of course, slow down this point has little impact on a single operation, but the brute force cracking time will be extended to tens of thousands of years.

Salt: salt value-used to deal with the rainbow meter (I don't know how to do it by myself). As an interference item, the salt value makes the ciphertext generated by each hash different and prevents the rainbow meter from being cracked.

-

Password authentication

/ / $hash, the encrypted string if (password_verify ('password', $hash) read from the database) {/ / verified through} else {/ / validation error}

Check whether encryption measures need to be upgraded

/ / check whether hash is encrypted by bcrypt. If not, upgrade is required. Return trueif (password_needs_rehash ($current_hash, PASSWORD_BCRYPT)) {$new_hash = password_hash ($password, PASSWORD_BCRYPT)}

Get encrypted information

Password_get_info can only be used for hashing generated by password_hash

If you are using the following version of php5.5, you can use the following methods (which I am using now, which is the same in principle):

Class Password {private static $algo ='$2a million, $cost ='$10 years; public static function unique_salt () {return substr (sha1 (mt_rand ()), 0Power22);} public static function hash ($password) {return crypt ($password, self::$algo. Self::$cost. '$'. Self::unique_salt ();} public static function check_password ($hash, $password) {$full_salt = substr ($hash, 0,29); $new_hash = crypt ($password, $full_salt); return ($hash = $new_hash);}}

-

Item 2: an one-time reset link for the password

Disposable links have two characteristics:

Click valid within a certain period of time (for example, 24 hours) when the link is generated

Once the password is reset, the link becomes invalid immediately

In this case, you need to record whether the link is out of date. There are several ways to think about it:

Save the link generation time in the database and whether the link has been used (consider using a field to record information).

With opcode caching, you need to install xcache or other similar tools

I am now using xcahce, mainly considering the overhead of saving it to the library.

Public function generate_link ($username,$hash) {if (function_exists ('xcache_isset')) {/ / use username encryption as our unique_id $unique_id = md5 ($username); / / Save username to the cache named unique_id, and set the cache to expire 24 hours xcache_set ($unique_id, $username, 24 hours 60 seconds 60) / / encrypt username and hash as authentication information (if you don't worry, you can add a public key to it) $validate = md5 ($username.$hash); / / concatenate the string $string = $unique_id.$validate / / generate a link to reset the password $link = $_ SERVER ['SERVER_NAME']. "/ reset-password?p=". $string; return $link }} / / check whether the link is legal public function check_link ($p) {if (function_exists ('xcache_isset')) {/ / get unique_id $unique_id = substr ($p, 0,32) in the link If (xcache_isset ($unique_id)) {/ / read username $username = xcache_get ($unique_id) through unique_id; / / read hash $hash = findHashByUsername ($username) through username; / / get the verification information in the link $link_md5 = substr ($pMagazine 32) If ($link_md5 = md5 ($username.$hash)) {/ / Link verification succeeded} else {/ / Link verification failed redirect ();}} else {redirect ();}

Remember to clear the cache of $unique_id immediately after password reset

If (updateLoginPassword ($username,$password)) {xcache_unset ($unique_id);}

Item 3: set the limit on the number of password resets in the same IP in a day.

Much like disposable links, there are two ways of thinking:

Save ip to database

Save ip information through xcache

I will only provide you with a function to get ip, and the rest of you can add it yourself.

Public static function validip ($ip) {if (! empty ($ip) & & ip2long ($ip)! =-1) {$reserved_ips = array (array ('0.0.0.0) 2.255.255.255'), array ('10.0.0.0) Array ('127.0.0.0), array (' 169.254.0.0), array ('172.16.0.0), array (' 192.0.2.0') '192.0.2.255'), array (' 192.168.0.0'), array ('255.255.255.0')) Foreach ($reserved_ips as $r) {$min = ip2long ($r [0]); $max = ip2long ($r [1]); if ((ip2long ($ip) > = $min) & & (ip2long ($ip))

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.