双重password_hash PHP [英] Double password_hash php

问题描述

让我们来说一下：

$ b

我想知道是否可以/明智地在我的网站上为我的用户密码使用password_hash。
$ b

• 用户在我的网站上注册，他们输入密码，我们将这个
  输入 $ firstHash =
password_hash（$ input，PASSWORD_BCRYPT）

code>（举例来说，为了说明
，这个哈希值为thisFirstHash）


• 一旦哈希密码被重新哈希 $ firstHash =
password_hash（$ firstHash，PASSWORD_BCRYPT）（例如，让
  表示这个散列为thisSecondHash）




• 第二个散列是存储到数据库的内容，所以现在当他们
  登录时，服务器必须解密散列散列。




• 当用户登录时，他们再次输入密码，我们会再次
  调用这个 input




• 然后服务器必须重新登录ypt将输入与保存的
  散列进行比较 $ loginHash1 = password_hash（$ input，PASSWORD_BCRYPT）




• 服务器比较新的 loginHash1 变量与保存的
  散列 password_verify（$ loginHash1，thisSecondHash）

• 如果第一个哈希匹配，比较第二个哈希




• password_verify（$ input，thisFirstHash）

I在我的小测试环境中，我无法完全正确地工作，我怀疑这与随机化salt在登录阶段重新哈希输入时有所不同。

<所以我的问题是，

1. 有没有可能做到这一点？


2. 是否有益要做到这一点？

解决方案

实现安全哈希。增加复杂性不会增加任何安全性，并且使代码更难以调试。使用一个 password_hash 和一个 password_verify 。 PHP的 PASSWORD_DEFAULT 已被选为非常强大：

哈希

  $ hash = password_hash（$ cleartext，PASSWORD_DEFAULT）
  

验证

  $ isCorrect = password_verify（$ cleartext，$ hash）; 
  

如果您对PHP非常强大的默认值不满意，可以查看成本设置。但实际上并不需要。 文档：

< blockquote>

password_hash（）使用强大的散列，产生强烈的盐分，
自动应用适当的回合。 password_hash（）是一个简单的
crypt（）包装器，并与现有的密码哈希兼容。鼓励使用
password_hash（）。

I was wondering if it was possible/wise to use password_hash twice for my users passwords on my website.

So let's say this:

• User registers on my site, they enter a password, we will call this input.

• During account creation, their password is $firstHash = password_hash($input, PASSWORD_BCRYPT) (For example sake, lets say this hashes to "thisFirstHash"

• Once their password is hashed, it is hashed again $firstHash = password_hash($firstHash, PASSWORD_BCRYPT) (For example sake, lets say this hashes to "thisSecondHash")

• This second hash is what is stored to the database, so now when they log in, the server has to decrypt a hashed hash.

• When the user logs in, they enter their password again, we will again call this input

• the server then has to reencrypt the input to compare with the saved hash $loginHash1 = password_hash($input, PASSWORD_BCRYPT)

• The server compares the new loginHash1 variable with the saved hash password_verify($loginHash1,"thisSecondHash")

• If the first hash matches, compare the second hash

• password_verify($input,"thisFirstHash")

I couldn't quite get this to work properly in my small testing environment, I suspect it has something to do with the randomized salt being different during the login phase when rehashing the input.

So my questions are,

1. Is it possible to do this?
2. Is it beneficial to do this?

解决方案

The whole point of the password hashing API is to make it simple to implement secure hashing. Adding complexity as you are will not add any security, and it makes your code more difficult to debug. Use one password_hash and one password_verify. PHP's PASSWORD_DEFAULT is chosen to be very strong already:

To hash

$hash = password_hash($cleartext, PASSWORD_DEFAULT)

To verify

$isCorrect = password_verify($cleartext, $hash);

If you're not happy with PHP's very strong defaults, you can look into the cost setting. But it's really not needed. The docs say:

password_hash() uses a strong hash, generates a strong salt, and applies proper rounds automatically. password_hash() is a simple crypt() wrapper and compatible with existing password hashes. Use of password_hash() is encouraged.

这篇关于双重password_hash PHP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！