哈希密码的最佳方法是什么? password_hash是否足够安全?PHP 7中是否有更安全的方法? [英] What is the best way to hash a password? Is password_hash safe enough or is there a safer method in PHP 7?

问题描述

散列密码的最佳方法是什么?我知道一种做得很好的方法，但是我想知道在PHP 7+中是否还有更好的方法来散列密码，而不是

What is the best way to hash a password? I know a way that does a good job, but I was wondering if there is an even better way to hash passwords in PHP 7+ then password_hash(). Is password_hash good enough?

<?php
password_hash('PASSWORD HERE', PASSWORD_DEFAULT);
?>

推荐答案

我想知道在PHP 7+中是否还有比password_hash更好的哈希密码的方法.password_hash足够好吗?"

是的，它足够安全，是的，有更好/更安全的方法.从PHP 7.2开始，Argon2是新实现(散列)方法的一部分，该方法赢得了密码散列竞赛如果要将PHP版本升级到7.2，则是一种更可靠的方法.

Yes it is safe enough, and yes there is a better/safer way. As of PHP 7.2, Argon2 is part of a newly implemented (hashing) method that won the Password Hashing Competition which offers a more robust method, should you want to upgrade your version of PHP to 7.2.

关于 Wiki 的状态如下:

Argon2是密码散列竞赛推荐的密码散列算法，它是一种用于安全地散列密码的现代算法. Argon2解决了现有算法的几个关键缺点，因为它旨在实现最高的内存填充率，并有效使用多个计算单元，同时仍可提供抵御权衡攻击的防御能力.与仅需要一个成本因素的Bcrypt不同，Argon2由三个不同的因素进行参数化:

Argon2, the recommended password hashing algorithm by the Password Hashing Competition, is a modern algorithm for securely hashing passwords. Argon2 addresses several key downsides of existing algorithms in that it is designed for the highest memory filling rate, and effective use multiple computing units while still providing defense against tradeoff attacks. Unlike Bcrypt, which just takes a single cost factor, Argon2 is parameterized by three distinct factors:

1. 定义算法的内存使用情况的内存成本
2. 定义算法执行时间和迭代次数的时间成本
3. 还有一个并行度因子，它定义了并行线程的数量

1. A memory cost that defines memory usage of the algorithm
2. A time cost that defines the execution time of the algorithm and the number of iterations
3. And a parallelism factor, which defines the number of parallel threads

您还可以查看以下链接，其中包含有关Libsodium的更多信息 https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016

You can also look into the following link which contains more information on Libsodium https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016

关于 http://php.net/manual/zh/function上的手册.password-hash.php 还包含有关 PASSWORD_ARGON2I 的信息.

The manual on http://php.net/manual/en/function.password-hash.php also contains information on PASSWORD_ARGON2I.

变更日志指出:

添加了使用PASSWORD_ARGON2I支持Argon2密码的7.2.0.

7.2.0 Support for Argon2 passwords using PASSWORD_ARGON2I was added.

---

如果不能升级到PHP 7.2，则可能会增加成本".

---

If upgrading to PHP 7.2 is not an option, then you could increase the "cost".

从此答案和相关文章

Pulled from this answer and from the related post Generating Password Hash In PHP 5.5 And Setting Cost Option, and I quote:

将cost参数增加1，会使计算散列值所需的时间加倍. cost参数是迭代计数的对数(以2为底)，表示:

Increasing the cost parameter by 1, doubles the needed time to calculate the hash value. The cost parameter is the logarithm (base-2) of the iteration count, that means:

$ iterations = 2 ^ $ cost;

$iterations = 2 ^ $cost;

您还可以在此处通过Stack Overflow咨询其他问答:

You can also consult this other Q&A here on Stack Overflow:

• password_hash真正如何工作?

这篇关于哈希密码的最佳方法是什么? password_hash是否足够安全?PHP 7中是否有更安全的方法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！