堆栈内存溢出
  简体   繁体   English

password_hash输出的格式是什么?

[英]What is the format of password_hash output?

 原文  2013-08-08 17:54:44       php/ passwords/ verify/ php-password-hash

问题描述

I know the PHP function, password_hash outputs the algorithm, cost, salt, and hash all in one string so password_verify can check a password. 我知道PHP函数, password_hash输出算法,cost,salt和hash都在一个字符串中,所以password_verify可以检查密码。

Sample output from PHP page : PHP页面的示例输出: 

$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a

so the $2y$ represents the algorithm, the 10 represents cost. 因此$ 2y $代表算法, 10代表成本。 But how does password_verify separate the salt from the hash? 但是password_verify如何将哈希值与哈希分开? I don't see any identifier separating the two afterwards. 之后我没有看到任何标识符将两者分开。

1 个解决方案

解决方案1
 0  2019-05-20 17:02:53

For the bCrypt version of Password Hash. 对于密码哈希的bCrypt版本。 Bcrypt has a fixed-length salt value. Bcrypt具有固定长度的盐值。 The crypt function which is what PHP calls internally when you're utilizing password_hash()/password_verify() with the default algorithm has aa 16 byte salt. 当您使用带有默认算法的password_hash()/ password_verify()时,PHP内部调用的crypt函数具有16字节的盐。 This is given as a 22 characters of the custom base64 alphabet A-Za-z/. 这是自定义base64字母A-Za-z/.的22个字符A-Za-z/. then it decodes the string into bytes as 22 B64 characters encode 16.5Bytes there is an extra nibble of data that is not taken into account. 然后它将字符串解码为字节,因为22个B64字符编码为16.5Bytes,有一个额外的半字节数据没有被考虑在内。

For all other hashes the salt value is a defined set of bytes which are of course encoded into ASCII safe b64 and put after the $ sign and then the verifying function would only have to split the string into parts via the delimiter $ and then go for the third set of characters get the substr(0,B64_ENCODED_HASH_ALGORITHM_SALT_LEN) . 对于所有其他哈希,salt值是一组定义的字节,当然可以编码为ASCII安全b64并放在$符号之后,然后验证函数只需要通过分隔符$将字符串拆分成部分然后去第三组字符获得substr(0,B64_ENCODED_HASH_ALGORITHM_SALT_LEN) After that it would then pass the parameters it also got from the split string and pass those back into the password_hash function along with the password to check. 之后,它将传递它从分裂字符串中获得的参数,并将这些参数传递回password_hash函数以及要检查的密码。

The string it gives you is defined by the hashing algorithm's standard in most cases but is almost always something to the pattern of 它给你的字符串在大多数情况下由散列算法的标准定义,但几乎总是符合模式

$<ALGORITHM_ID>$<COST_IN_FORMAT>$<BASE64_ENCODED_SALT><BASE64_ENCODED_HASH>$

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 (PHP 5 &lt;5.5.0)的password_hash()的替代方法是什么? - what is an alternative to password_hash() for (PHP 5 < 5.5.0)? PHP中的password_hash()怎么样? - What about password_hash() in PHP password_hash中的默认算法是什么 - What is the default algorithm in password_hash PHP:password_hash和hash_hmac有什么区别? - PHP: What is the difference between password_hash and hash_hmac? 什么密码强度足以与password_hash函数一起使用? - What is password strength considered enough for use with password_hash function? 什么是MAX允许的成本php_hash? - What is MAX allowed cost in php password_hash? 如果不支持password_hash怎么办 - What should I do if password_hash isn't supported 我应该为password_hash()使用什么列字符编码? - What column character encoding should I use for password_hash()? 为password_hash()设置一个盐 - Setting a salt for password_hash() 正确使用password_hash - correct use of password_hash
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM