mcrypt 已弃用,有什么替代方案?

2022-01-21 00:00:00 encryption passwords php php-7 mcrypt

mcrypt-extension 已弃用根据 此处 发布的评论,将在 PHP 7.2 中删除.所以我正在寻找另一种加密密码的方法.

The mcrypt-extension is deprecated will be removed in PHP 7.2 according to the comment posted here. So I am looking for an alternative way to encrypt passwords.

现在我正在使用类似的东西

Right now I am using something like

mcrypt_encrypt(MCRYPT_RIJNDAEL_128, md5($key, true), $string, MCRYPT_MODE_CBC, $iv)

我需要您对加密密码的最佳/最强方式的意见,加密密码当然应该受 PHP 7.xx 支持,并且还应该是可解密的,因为我的客户确实希望有一个选项来恢复"他们的密码,而无需生成一个新的.

I need your opinion for the best/strongest way to encrypt passwords, the encrypted password should of course supported by PHP 7.xx and should also be decryptable because my customers do want to have an option to 'recover' their passwords without generating a new one.

推荐答案

最佳做法是对密码进行哈希处理,使其不可解密.对于可能已经获得您的数据库或文件访问权限的攻击者来说,这会使事情变得更加困难.

It's best practice to hash passwords so they are not decryptable. This makes things slightly more difficult for attackers that may have gained access to your database or files.

如果您必须加密数据并使其可解密,请访问 https://paragonie.com/white-paper/2015-secure-php-data-encryption.总结该链接:

If you must encrypt your data and have it decryptable, a guide to secure encryption/decryption is available at https://paragonie.com/white-paper/2015-secure-php-data-encryption. To summarize that link:

  • 使用 Libsodium - PHP 扩展
  • 如果您不能使用 Libsodium,请使用 defuse/php-encryption - 直接 PHP 代码
  • 如果您不能使用 Libsodium 或 defuse/php-encryption,请使用 OpenSSL - 很多服务器已经安装了这个.如果没有,可以用 --with-openssl[=DIR]
  • 编译
  • Use Libsodium - A PHP extension
  • If you can't use Libsodium, use defuse/php-encryption - Straight PHP code
  • If you can't use Libsodium or defuse/php-encryption, use OpenSSL - A lot of servers will already have this installed. If not, it can be compiled with --with-openssl[=DIR]

相关文章