stackoom
  简体   繁体   中英

What about password_hash() in PHP

 原文  2015-01-06 14:29:38       php/ hash/ password-protection

Question

I've been reading all kind of forums and tutorials about this password_hash() that seems to be good for password protection.

But now i want to know if it's better to make an own salt and hash for the function like 

$options = [
    'cost' => 11,
    'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
];
password_hash($password, PASSWORD_BCRYPT, $options);

Or just let the function do it: 

password_hash($password, PASSWORD_DEFAULT);

There seems to be a lot of discussion about whether or not it's good or bad to use your own salt.

Can somebody explain why its bad (or not) to use your own salt?

2 answers

solution1
 3 ACCPTED  2015-01-06 14:41:15

Because if you don't create your own salt, It will create a secure salt automatically for you.

From the documentation :

Caution

It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one.

So, for answer your question, if you don't know more about salt or other... Just don't use your own salt, this function is strong enough !

solution2
 1  2015-01-06 14:40:13

Salts are just a protection against a rainbow table attack.
It won't make one hash more difficult to break but instead the larger whole.
If you use a different salt for every hash, the attacker will need to make a rainbow table for every password.
Which is unpractical in means of work and time.
Generating a salt with a pseudorandom-rng will do the job of protecting the larger whole of your passwords.
https://crypto.stackexchange.com/questions/1776/can-you-help-me-understand-what-a-cryptographic-salt-is

As the function already generates a secure salt it is not recommended to generate your own with a rng that is practically worse.
Just let the function generate a strong salt and it will be fine and cost less work too as you do not have to create salts yourself. Correct way of creating salted hash password

Quote from previous link:

It is recommended that you do not pass your own salt, instead let the function create a cryptographically safe salt from the random source of the operating system.

The salt will be included in the resulting hash-value, so you don't have to store it separately. Just create a 60 character string field in your database and store the hash-value. The function password_verify() will extract the used salt from the stored hash-value. For more information you can have a look at my tutorial about storing passwords.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question what is an alternative to password_hash() for (PHP 5 < 5.5.0)? Questions about password_hash PHP: What is the difference between password_hash and hash_hmac? Double password_hash php PHP Password_Hash Function PHP password_hash() / bcrypt PHP password_hash error What is MAX allowed cost in php password_hash? password_verify and password_hash in php PHP password_hash(), password_verify()
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM