Please comment this method of storing user password... _问答_开发者

Please comment this method of storing user password...

开发者 https://www.devze.com 2023-02-26 00:04 出处：网络

$storePassword = md5Hash($salt, $userActuallyPassword); When the user assign a password, I will generate a salt, which is a ten digit random string, and I use md5 with the userActuallyPassw开发者_如

$storePassword = md5Hash($salt, $userActuallyPassword);

When the user assign a password, I will generate a salt, which is a ten digit random string, and I use md5 with the userActuallyPassw开发者_如何学Cord, and I store the salt and storePassword, within store the user actually password, is this a good way to do so? Any comment on this?

It's almost good.

However, you should not use MD5, and you should use non-ASCII salt.

Instead, use bcrypt

Try using a more rigorously-studied method like PBKDF2. You'll still store a hash and a salt, and you can pick your own hashing algorithm, but you'll take care of dictionary attacks, rainbow attacks and a variety of other problems. You can find a good implementation in the comments for the hash_hmac() function.

nearly correct:

$storePassword = $salt . md5Hash($salt, $userActuallyPassword);

and instead of md5, you are better off using either SHA256 or BCrypt Hash.
Also, a ten digit random string does not have a very large entropy, you could improve by using 128 random bits instead of digits.