password_hash:与手动生成的盐相比，自动生成的盐有什么优势? [英] password_hash: any advantages of automatically generated salt over manual?

问题描述

如果我理解正确，任何 PHP 升级或移动到不同的服务器都会使以前散列的密码(存储在数据库中)变得无用?因为盐在新系统上会有所不同.

If I understand correct, any PHP upgrade, or moving to different server will make previously hashed passwords (stored in database) useless? Because the salt will be different on a new system.

这让我对自动生成盐的用例感到好奇.

This makes me curious about the use cases for automatically generated salt.

推荐答案

password_hash() 现在(从 PHP 7.1.* 开始)只使用 bcrypt 来散列密码.Salt 与散列一起保存，因此升级或移动到另一台服务器不会使散列无用.

password_hash() now (as of PHP 7.1.*) only uses bcrypt for hashing passwords. Salt is saved along with the hash, so upgrade or moving to another server will not make hashes useless.

正如 @Jay Blanchard 所说 在他的评论中，自动盐是一个优势，因为您不必关心.一切都方便且自动处理.

As @Jay Blanchard says in his comment, auto salts are an advantage because you just don't have to care. All is conveniently and automatically handled.

您甚至不应该自己创建盐，因为它也非常自己生成盐时容易出错(非随机盐、不正确的盐随机源等).

You even should not create the salt yourself, as it is also very easy to make a mistake when generating the salt yourself (non-random salt, incorrect random source for salt, etc).

此外，salt 选项从 PHP 7.0.0 开始在 password_hash bcrypt 算法中被弃用，因此 PHP 将始终使用自动生成的 salt.

Furthermore, the salt option is deprecated as of PHP 7.0.0 in password_hash bcrypt algorithm, so PHP will always use automatically generated salt.

这篇关于password_hash:与手动生成的盐相比，自动生成的盐有什么优势?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！