将密码与PHP中的crypt（）进行比较 [英] Comparing passwords with crypt() in PHP

问题描述

我需要得到这个功能的基础知识。对于blowfish算法，php.net文档规定：

带有盐的Blowfish散列如下：$ 2a $一个两位数的成本参数$，和22个64位数字从字母./0-9A-Za-z。在salt 中使用此范围之外的字符将导致crypt（）返回零长度字符串

因此，根据定义，不应该工作：

  echo crypt（'rasmuslerdorf'，'$ 2a $ 07 $ usesomadasdsadsadsadasdasdasdsadesillystringforsalt $' ）; 
  

但是，它吐出来：

  $ 2a $ 07 $ usesomadasdsadsadsadaadMTUHlZEItvtV00u0.kb7qhDlC0Kou9e 
  

似乎隐藏的地方（）已经将盐本身切成了一段长度22.有人可以解释一下吗？

这个功能的另一个方面是我不能让我的头脑使用crypt（）比较密码。 http://php.net/manual/en/function.crypt.php （见＃1）。这是否意味着如果我使用相同的盐来加密我所有的密码，我必须首先加密吗？即：

  $ salt =usesomadasdsadsadsada 
 $ salt_crypt = crypt（$ salt）; 
 
 if（crypt（$ user_input，$ salt）== $ password）{
 // FAIL WONT WORK 
} 
 
 if（crypt $ user_input，$ salt_crypt）== $ password）{
 //我有这个要做吗？ 
} 
  

感谢您的时间

解决方案

以下代码示例可能会回答您的问题。

要使用Blowfish生成散列密码，您首先需要生成盐，它以$ 2a $开始，后跟迭代计数和22个字符的Base64字符串。

  $ salt ='$ 2a $ 07 $ usesomadasdsadsadsadasdasdasdsadesillystringfors'; 
 $ digest = crypt（'rasmuslerdorf'，$ salt）; 
  

将整个$ digest存储在数据库中，它同时具有盐和摘要。

当比较密码时，只需执行此操作，

  if（crypt（$ user_input，$摘要）== $ digest）
  

你正在将消化重复为盐。 crypt知道算法标识符中的盐多长时间。

I need to get the basics of this function. The php.net documentation states, for the blowfish algorithm, that:

Blowfish hashing with a salt as follows: "$2a$", a two digit cost parameter, "$", and 22 base 64 digits from the alphabet "./0-9A-Za-z". Using characters outside of this range in the salt will cause crypt() to return a zero-length string

So this, by definition, should not work:

echo crypt('rasmuslerdorf', '$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringforsalt$');

However, it spits out:

$2a$07$usesomadasdsadsadsadaeMTUHlZEItvtV00u0.kb7qhDlC0Kou9e

Where it seems that crypt() has cut the salt itself to a length of 22. Could somebody please explain this?

Another aspect of this function I can't get my head around is when they use crypt() to compare passwords. http://php.net/manual/en/function.crypt.php (look at ex. #1). Does this mean that if I use the same salt for all encrypting all my passwords, I have to crypt it first? ie:

$salt = "usesomadasdsadsadsadae";
$salt_crypt = crypt($salt);

if (crypt($user_input, $salt) == $password) {
   // FAIL WONT WORK
}

if (crypt($user_input, $salt_crypt) == $password) {
   // I HAVE TO DO THIS?
}    

Thanks for your time

解决方案

Following code example may answer your questions.

To generate hashed password using Blowfish, you first need to generate a salt, which starts with $2a$ followed by iteration count and 22 characters of Base64 string.

$salt = '$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringfors';
$digest = crypt('rasmuslerdorf', $salt);

Store the whole $digest in database, it has both the salt and digest.

When comparing password, just do this,

  if (crypt($user_input, $digest) == $digest)

You are reusing the digest as salt. crypt knows how long is the salt from the algorithm identifier.

这篇关于将密码与PHP中的crypt（）进行比较的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！