用 PHP 中的 crypt() 比较密码 [英] Comparing passwords with crypt() in PHP

问题描述

我需要了解此功能的基础知识.对于河豚算法，php.net 文档指出:

I need to get the basics of this function. The php.net documentation states, for the blowfish algorithm, that:

Blowfish 用盐散列如下:$2a$"，一个两位数的成本参数，$"，以及来自字母表./0-9A-Za-z"的 22 个基数 64 位.在盐中使用此范围之外的字符将导致 crypt() 返回零长度字符串

Blowfish hashing with a salt as follows: "$2a$", a two digit cost parameter, "$", and 22 base 64 digits from the alphabet "./0-9A-Za-z". Using characters outside of this range in the salt will cause crypt() to return a zero-length string

因此，根据定义，这不应该起作用:

So this, by definition, should not work:

echo crypt('rasmuslerdorf', '$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringforsalt$');

然而，它吐出来了:

$2a$07$usesomadasdsadsadsadaeMTUHlZEItvtV00u0.kb7qhDlC0Kou9e

crypt() 似乎将盐本身的长度减少到 22.有人可以解释一下吗?

Where it seems that crypt() has cut the salt itself to a length of 22. Could somebody please explain this?

这个功能的另一个我无法理解的方面是当他们使用 crypt() 来比较密码时.http://php.net/manual/en/function.crypt.php(看看例子.#1).这是否意味着如果我使用相同的盐来加密所有密码，我必须先对其进行加密?即:

Another aspect of this function I can't get my head around is when they use crypt() to compare passwords. http://php.net/manual/en/function.crypt.php (look at ex. #1). Does this mean that if I use the same salt for all encrypting all my passwords, I have to crypt it first? ie:

$salt = "usesomadasdsadsadsadae";
$salt_crypt = crypt($salt);

if (crypt($user_input, $salt) == $password) {
   // FAIL WONT WORK
}

if (crypt($user_input, $salt_crypt) == $password) {
   // I HAVE TO DO THIS?
}    

感谢您的时间

推荐答案

以下代码示例可能会回答您的问题.

Following code example may answer your questions.

要使用 Blowfish 生成散列密码，您首先需要生成一个盐，它以 $2a$ 开头，然后是迭代计数和 22 个 Base64 字符串字符.

To generate hashed password using Blowfish, you first need to generate a salt, which starts with $2a$ followed by iteration count and 22 characters of Base64 string.

$salt = '$2a$07$usesomadasdsadsadsadasdasdasdsadesillystringfors';
$digest = crypt('rasmuslerdorf', $salt);

将整个 $digest 存储在数据库中，它包含盐和摘要.

Store the whole $digest in database, it has both the salt and digest.

比较密码时，就这样做，

When comparing password, just do this,

  if (crypt($user_input, $digest) == $digest)

您将摘要作为盐重用.crypt 从算法标识符中知道盐的长度.

You are reusing the digest as salt. crypt knows how long is the salt from the algorithm identifier.

这篇关于用 PHP 中的 crypt() 比较密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！