问题描述
使用 MySQL 的密码功能对应用程序使用的密码进行哈希处理是好还是坏?我可以看到优点和缺点.我很好奇是否对它的好坏有普遍的共识.
Is it considered good or bad practice to use MySQL's password function to hash passwords used by an application? I can see pros and cons. I'm curious if there is a general consensus on whether it is good or bad.
推荐答案
MySQL 的文档 PASSWORD() 函数状态:
The docs for MySQL's PASSWORD() function states:
PASSWORD() 函数被 MySQL Server 中的认证系统使用;您不应在自己的应用程序中使用它.
The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications.
阅读您可能存储的密码不正确"以获得更好的建议散列和存储密码.
Read "You're Probably Storing Passwords Incorrectly" for better advice on hashing and storing passwords.
MD5 和 SHA-1 被认为太弱而不能用于密码.当前的建议是使用 SHA-256.
MD5 and SHA-1 are considered to be too weak to use for passwords. The current recommendation is to use SHA-256.
我为 MySQL 贡献了一个补丁来支持 SHA2()
功能,并且补丁已被接受,但由于他们的路线图发生了变化,因此尚不清楚何时会使其成为已发布的产品.
I contributed a patch to MySQL to support a SHA2()
function, and the patch was accepted, but since their roadmap has changed it's not clear when it will make it into a released product.
同时,您可以在您的编程语言中使用散列和加盐,并将结果散列摘要存储在数据库中.如果您使用 PHP,则 hash()
函数.
In the meantime, you can use hashing and salting in your programming language, and simply store the result hash digest in the database. If you use PHP, SHA-256 is available in the hash()
function.
更新: MySQL 5.5.8 于 2010 年 12 月发布,该版本包含对 SHA2()
函数.
update: MySQL 5.5.8 was released in December 2010, and that release contains support for the SHA2()
function.
这篇关于MySQL密码功能的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!