在 PHP 中正确使用 crypt() 和 SHA512 [英] Correctly using crypt() with SHA512 in PHP

问题描述

网上所有的例子都是这样使用crypt的:

All the examples online show the use of crypt like this:

$pass = crypt('something','$6$rounds=5000$anexamplestringforsalt$');

但每个人都说你不应该定义轮次或盐分.

But everyone says that you are not supposed to define the rounds or the salt.

那我应该如何使用它?

我还有一个问题:当我运行上面的代码时，它只运行了 50 轮而不是 5000 轮，就好像系统正在停止它一样.

Also I am having a problem: when I run the code above, it only runs 50 rounds instead of 5000 rounds as if the system is stopping it.

任何帮助将不胜感激.

//- 解决方案-//

我发现其中一些很有用:

I have found some of these to be useful:

用于生成盐:

这是一种随机生成盐的方法

Here is a random way of generating salt

$randomString = random_bytes(32);

Base 64 编码，确保某些字符不会对 crypt 造成问题

Base 64 encode to ensure that some characters will not cause problems for crypt

$salt = base64_encode($randomString);

对于散列:

$hashed = crypt($passwordInput, '$6$'.$salt);

确认:

if (crypt($passwordInput, $hashed) == $hashed) { 
  // Valid action
} else { 
  // Invalid action
}

** 特别感谢@lathspell 帮助我们解决上述问题 **

** Special Thanks to @lathspell for help with arriving at above solution **

推荐答案

运行该算法一定数量的轮次的主要原因只是为了减慢它的速度，使蛮力攻击变得无趣.即使对于现代硬件，5000 次迭代也足够了.您也可以使用 100000，但是您的服务器管理员可能想和您说句话:-)rounds=5000 是 SHA-512 的默认值.最小值为 1000，最大值非常高.

The main reason to run the algorithm for a certain amount of rounds is simply to slow it down to make brute forcing attacks uninteresting. For that 5000 iterations are enough even for modern hardware. You could as well use 100000 but then your server admin would probably want to have a word with you :-) rounds=5000 is the default for SHA-512. The minimum is 1000 and the maximum very high.

这篇关于在 PHP 中正确使用 crypt() 和 SHA512的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！