在PHP 5.5中生成密码哈希并设置费用选项 [英] Generating Password Hash In PHP 5.5 And Setting Cost Option

问题描述

我知道PHP 5.5在alpha中，但是我正在制作的此类只是通过使用function_exists()来利用其哈希功能而制成的.

I know PHP 5.5 is in alpha but this class I am making is just being made in advance to utilize it's hashing feature by using function_exists().

我签出了 password_hash 文档.第三个参数用于$ options，它目前支持两个选项"salt"和"cost".

I checked out the password_hash documentation. The 3rd argument is for $options which currently supports two options, 'salt' and 'cost'.

它说明如下:

cost，表示应该使用的算法成本.例子 这些值中的一个可以在crypt()页面上找到.

cost, which denotes the algorithmic cost that should be used. Examples of these values can be found on the crypt() page.

当我转到crypt()页面时，它提供的文档是:

When I go to the crypt() page the documentation it gives is:

带有盐的河豚哈希，如下所示:"$ 2a $"，"$ 2x $"或"$ 2y $"， 两位数字的费用参数"$"和字母的22位数字 "./0-9A-Za-z".在盐中使用超出此范围的字符将 使crypt()返回长度为零的字符串.两位数成本 参数是迭代计数的以2为底的对数 基于Blowfish的基础哈希算法，并且必须在范围内 04-31，超出此范围的值将导致crypt()失败.版本号 5.3.7之前的PHP版本仅支持"$ 2a $"作为盐前缀:PHP 5.3.7 引入了新的前缀来修复Blowfish中的安全漏洞 执行.请参阅»本文档以获取有关以下内容的完整详细信息: 安全修复程序，但总而言之，仅针对PHP的开发人员 5.3.7及更高版本应优先使用"$ 2y $"而不是"$ 2a $".

Blowfish hashing with a salt as follows: "$2a$", "$2x$" or "$2y$", a two digit cost parameter, "$", and 22 digits from the alphabet "./0-9A-Za-z". Using characters outside of this range in the salt will cause crypt() to return a zero-length string. The two digit cost parameter is the base-2 logarithm of the iteration count for the underlying Blowfish-based hashing algorithmeter and must be in range 04-31, values outside this range will cause crypt() to fail. Versions of PHP before 5.3.7 only support "$2a$" as the salt prefix: PHP 5.3.7 introduced the new prefixes to fix a security weakness in the Blowfish implementation. Please refer to » this document for full details of the security fix, but to summarise, developers targeting only PHP 5.3.7 and later should use "$2y$" in preference to "$2a$".

我似乎无法解决这个问题.它说PHP 5.3.7及更高版本应该使用$ 2y $，但是我要使用哪一个成本值来获得那个值，这是选择的最佳价值吗?他们提供的示例使用的值为7，但是根据上面的值，它可以上升到31，使用说4而不是说31有什么区别?

I can't seem to get my head wrapped around this. It says PHP 5.3.7 and later should use $2y$, but what cost value do I use to get that one and is it the best value to choose? The example they provide uses a value of 7, but according to the above it can go up to 31, what difference does it make to use say 4 opposed to say 31?

推荐答案

函数password_hash()只是函数crypt()的包装，应可以更轻松地正确使用它.它负责生成安全的随机盐，并提供良好的默认值.

The function password_hash() is just a wrapper around the function crypt(), and shall make it easier to use it correctly. It takes care of the generation of a safe random salt, and provides good default values.

使用此功能的最简单方法是:

The easiest way to use this function will be:

$hash = password_hash($password, PASSWORD_DEFAULT);

这意味着，该函数将使用BCrypt(算法2y)对密码进行哈希处理，生成随机盐，并使用默认费用(目前为10).这些是很好的默认值，特别是我不会会自行生成盐，很容易在此处犯错误.

That means, the function will hash the password with BCrypt (algorithm 2y), generates a random salt, and uses the default cost (at the moment this is 10). These are good default values, particularly i would not generate the salt of your own, it is easy to make mistakes there.

如果要更改cost参数，可以这样做:

Should you want to change the cost parameter, you can do it like that:

$hash = password_hash($password, PASSWORD_BCRYPT, ["cost" => 11]);

将cost参数增加1，会使计算散列值所需的时间加倍. cost参数是迭代计数的对数(以2为底)，表示:

Increasing the cost parameter by 1, doubles the needed time to calculate the hash value. The cost parameter is the logarithm (base-2) of the iteration count, that means:

$iterations = 2 ^ $cost;

我错过了要生成自己的类的要点.对于PHP 5.3.7及更高版本，存在一个兼容性包，来自制作password_hash()函数的同一作者.您可以直接使用此代码，也可以查看精心设计的实现.对于5.3.7之前的PHP版本，不支持crypt和2y，即具有Unicode识别能力的BCrypt算法.您可以改用2a，这是早期PHP版本的最佳替代方法.我做了一个示例，其中有很多评论，也许您想看看它.

I missed the point, that you want to generate your own class. For PHP version 5.3.7 and later, there exists a compatibility pack, from the same author that made the password_hash() function. You can either use this code directly, or look at the well crafted implementation. For PHP versions before 5.3.7 there is no support for crypt with 2y, the unicode aware BCrypt algorithm. You can instead use 2a, which is the best alternative for earlier PHP versions. I did an example with a lot of comments, maybe you want to have a look at it too.

P.S.在password_hash()中正确使用了表达式盐"和成本因子"，尽管crypt()函数对所有的crypt参数都使用了salt一词，这有点误导.

P.S. The expressions "salt" and "cost factor" are used correctly in password_hash(), the crypt() function though, uses the word salt for all crypt parameters together, that's a bit misleading.

这篇关于在PHP 5.5中生成密码哈希并设置费用选项的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！