PHP 5.5 password_ *函数重新散列 [英] PHP 5.5 password_* functions re-hashing
问题描述
我已经安装使用PHP 密码我的密码哈希_ * 功能
I have setup my password hashing using PHP password_* functions
1) password_hash($的密码,PASSWORD_BCRYPT,阵列(成本=> 11);
2)返回password_verify($密码,$ hashedPassword)?真:假;
一切工作正常。
我发现也password_needs_rehash()函数,其中德2参数,可以$ hashedPassword和算法,例如:
I found also password_needs_rehash() function, which tak 2 params, $hashedPassword and algorithm, example:
password_needs_rehash($ hashedPassword,PASSWORD_BCRYPT);
password_needs_rehash($hashedPassword, PASSWORD_BCRYPT);
我明白使用这个时,它的改变算法或成本,是这样的:
I understand to use this when it's changed algorithm or cost, something like:
if (!password_verify($password, $hashedPassword)) {
return false;
}
if (password_needs_rehash($hashedPassword, PASSWORD_BCRYPT)) {
$hashedPassword = password_hash($password, PASSWORD_BCRYPT);
// update user password in database with $hashedPassword
}
return true;
一切很显然,我只是怀疑。
Everything it's clear, I have just a doubt.
我试着改变的成本,而不调用password_needs_rehash()函数,我能够登录。
I try change the cost, without calling password_needs_rehash() function, and I am able to login.
我也尝试改变我的函数生成散列,我改从PASSWORD_BCRYPT算法PASSWORD_DEFAULT。
I try also change on my function which generate hash, I change algorithm from PASSWORD_BCRYPT to PASSWORD_DEFAULT.
我总是可以登录。
有人能解释它是如何工作的?
Can someone explain how does it work?
如果我们不重新散列算法时的变化,如何PHP password_ *处理呢?
If we don't re-hash when algorithm change, how PHP password_* handle this?
PS一个小问题提出了质疑...... 使用PHP FUNCTION_ *做它raccomanded使用盐密码不?
PS A small question into question... Using php function_* does it raccomanded to use "salt" for password or not?
谢谢!
推荐答案
使用的算法和它的成本嵌入密码哈希。这是第几个字母:
The algorithm used and its cost are embedded in the password hash. It's the first couple of letters:
$2y$10$abcdefg...123456789...
| | | |
| | | +- the password hash
| | +- the salt
| +- the cost parameter
+- the algorithm type
(另见 http://stackoverflow.com/a/16736254/476 )
因此,验证密码时, password_verify 知道使用哪种算法。
As such, when verifying the password, password_verify knows what algorithm to use.
使用检查密码是否需要重散列的是确认嵌入散列算法和成本因素是否仍然一样那些你想使用。如果他们是不一样的,你要老调重弹的密码,使用新的配置。
The use of checking whether the password needs rehashing is to confirm whether the algorithm and cost factor embedded in the hash are still the same as the ones you would like to use. If they are not the same, you should rehash the password with the new configuration.
典型的应用是随着时间的推移,你会增加成本的因素,因为硬件变快,并能处理具有较大的成本散列。这并不突然失效的旧密码,这些仍然会采用嵌入散列旧的设置确定。不过,既然你碰巧有明文密码在手,在验证的时候,你应该利用这个机会与新的设置来更新哈希值。
The typical use is that over time, you will increase the cost factor as hardware gets faster and can handle hashing with larger costs. That does not suddenly invalidate your old passwords, those will still be confirmed using the old settings embedded in the hash. However, since you happen to have the plaintext password at hand at the time of verification, you should use that opportunity to update the hash with the newer settings.
这篇关于PHP 5.5 password_ *函数重新散列的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
