PHP中的password_hash()怎么样?
[英]What about password_hash() in PHP
问题描述
I've been reading all kind of forums and tutorials about this password_hash() that seems to be good for password protection. 
我一直在阅读各种关于这个password_hash()的论坛和教程,它们似乎对密码保护有好处。
But now i want to know if it's better to make an own salt and hash for the function like 但现在我想知道是否最好为函数制作一个自己的salt和hash
$options = [
'cost' => 11,
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
];
password_hash($password, PASSWORD_BCRYPT, $options);
Or just let the function do it: 或者只是让功能执行:
password_hash($password, PASSWORD_DEFAULT);
There seems to be a lot of discussion about whether or not it's good or bad to use your own salt. 关于使用自己的盐是好还是坏,似乎有很多讨论。
Can somebody explain why its bad (or not) to use your own salt? 有人可以解释为什么使用自己的盐是坏的(或不是)?
2 个解决方案
解决方案1
3 已采纳 2015-01-06 14:41:15
Because if you don't create your own salt, It will create a secure salt automatically for you. 因为如果你不创建自己的盐,它会自动为你创建一个安全的盐。
From the documentation : 从文档:
Caution
It is strongly recommended that you do not generate your own salt for this function.
So, for answer your question, if you don't know more about salt or other... Just don't use your own salt, this function is strong enough ! 所以,为了回答你的问题,如果你不了解更多关于盐或其他...只是不要使用自己的盐,这个功能足够强大!
解决方案2
1 2015-01-06 14:40:13
Salts are just a protection against a rainbow table attack. 盐只是对彩虹桌攻击的保护。
It won't make one hash more difficult to break but instead the larger whole. 它不会使一个哈希更难以打破,而是更大的整体。
If you use a different salt for every hash, the attacker will need to make a rainbow table for every password. 如果您为每个哈希使用不同的salt,攻击者将需要为每个密码创建一个彩虹表。
Which is unpractical in means of work and time. 这在工作和时间方面是不切实际的。
Generating a salt with a pseudorandom-rng will do the job of protecting the larger whole of your passwords. 使用伪随机rng生成salt将完成保护更大密码的工作。
https://crypto.stackexchange.com/questions/1776/can-you-help-me-understand-what-a-cryptographic-salt-is https://crypto.stackexchange.com/questions/1776/can-you-help-me-understand-what-a-cryptographic-salt-is
As the function already generates a secure salt it is not recommended to generate your own with a rng that is practically worse. 由于该函数已经生成了一个安全的盐,因此不建议使用实际上更差的rng来生成自己的盐。
Just let the function generate a strong salt and it will be fine and cost less work too as you do not have to create salts yourself. 只需让这个功能产生强盐,它就会很好,而且你也不需要自己创造盐就可以减少工作量。 Correct way of creating salted hash password 正确创建盐渍哈希密码的方法
Quote from previous link: 从以前的链接引用:
It is recommended that you do not pass your own salt, instead let the function create a cryptographically safe salt from the random source of the operating system.
The salt will be included in the resulting hash-value, so you don't have to store it separately.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.