PHP password_hash函数的盐长度为21或22? [英] PHP password_hash function salt length 21 or 22?
问题描述
代码:
echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-characters'] );
结果:
Warning: password_hash(): Provided salt is too short: 21 expecting 22
代码:
echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-charactersA'] );
结果:
$2y$10$dHdlbnR5LW9uZS1jaGFyYOVyX13hK9eb4/KXMAkHsAJX..YR7t/32
代码:
echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-charactersB'] );
$2y$10$dHdlbnR5LW9uZS1jaGFyYOVyX13hK9eb4/KXMAkHsAJX..YR7t/32
问题:
如您所见,通过将A和B附加到21个字符串中,我们创建了22个字符的两个不同的盐,但是哈希值是相同的!那是第22个字符被忽略吗?如果忽略它,为什么要索要22个字符的盐?
As you see, by appending A and B to 21 character strings we created two different salts of 22 characters, but, the HASHES are same! That is the 22nd character is ignored? If it is ignored then why does it ask for 22 character salt?
推荐答案
首先,请不要自己提供盐.您将不会比库做得更好.并且使用静态盐(如您在示例中所做的那样)会损害安全性.只是让它生成自己的盐(顺便说一句,我相信放盐是我在该API中犯的最大错误).
First, please don't provide your own salt. You're not going to do a better job generating it than the library does. And using static salts (like you did in the example) will compromise security. Just let it generate its own salt (incidentally, I believe letting a salt in is the biggest mistake I made in that API).
对于21个字符还是22个字符,请输入这个答案是读物.
As far as 21 vs 22 characters, give this answer a read.
基本上,盐是base64编码的.这意味着盐的每6位将被编码为8位.因此,编码盐的每个字节都是6位.
Basically, the salt is base64 encoded. This means that every 6 bits of the salt is encoded into 8 bits. So every byte of encoded salt is 6 bits.
21个字符为126位.这意味着仅使用了第22个字符的一部分(前2个解码位). A和B会得到相同的哈希的原因是,两个字符的前两位相同.
21 characters is 126 bits. That means that only part of the 22nd character is used (the first 2 decoded bits). The reason you get the same hash with A and B, is that the leading 2 bits are the same for both characters.
实际上,第22个字节只有4个唯一的哈希.
In fact, there are only 4 unique hashes for the 22nd byte.
这篇关于PHP password_hash函数的盐长度为21或22?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
