如何在PHP中使用Blowfish创建和存储密码哈希 [英] How to create and store password hashes with Blowfish in PHP

问题描述

1)如何使用crypt()创建安全的Blowfish密码哈希?

$hash = crypt('somePassword', '$2a$07$nGYCCmhrzjrgdcxjH$');

1a)"$ 2a"的含义是什么?它只是表明应该使用Blowfish算法吗?
1b)"$ 07"的含义是什么?更高的值表示更安全的哈希吗?
1c)"$ nGYCCmhrzjrgdcxjH $"的含义是什么?这是将要使用的盐吗?是否应该随机生成?硬编码?

1a) What is the significance of "$2a"? Does it just indicate that the Blowfish algorithm should be used?
1b) What is the significance of "$07"? Does a higher value imply a more secure hash?
1c) What is the significance of "$nGYCCmhrzjrgdcxjH$"? Is this the salt that will be used? Should this be randomly generated? Hard-coded?

2)如何存储河豚散列?

echo $hash;
//Output: $2a$07$nGYCCmhrzjrgdcxjH$$$$.xLJMTJxaRa12DnhpAJmKQw.NXXZHgyq

2a)其中的哪一部分应存储在数据库中?
2b)列应使用哪种数据类型(MySQL)?

2a) What part of this should be stored in the database?
2b) What data type should be used for the column (MySQL)?

3)应该如何验证登录尝试?

推荐答案

您应该存储crypt的整个输出，将其拆分没有太大意义，因为您需要为每个密码生成一个新的salt在任何情况下都重新哈希.使用Matt提到的固定隐藏盐是错误的-每个哈希值的盐都应该不同.

You should store the entire output of crypt, there's not a lot of point in splitting it up, because you need to generate a new salt for each password you're hashing in any case. Using a fixed hidden salt as mentioned by Matt is wrong - the salt should be different for every hash.

有关更多信息，请参见 http://www.openwall.com/articles/PHP-用户密码-我建议使用phpass库，因为它可以为您生成随机的盐，这与crypt()不同.

For more information see http://www.openwall.com/articles/PHP-Users-Passwords - I recommend using the phpass library because it handles generating a random salt for you, unlike crypt().

这篇关于如何在PHP中使用Blowfish创建和存储密码哈希的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！