PHP password_hash()+ password_verify()今天(2016年5月)安全吗? [英] Is PHP password_hash() + password_verify() safe today (May 2016)?
问题描述
所以问题在于标题^^。
So the question is pretty much in the title ^^.
以下是一些我在服务器上测试性能的php代码(+结果屏幕截图)并且还会告诉你我打算如何使用非常简单的password_hash()和password_verify()。
Below is a little php code I did to test performance on my server ( + screenshot of the result ) and also show you how I intend to use very simply password_hash() and password_verify().
我想我会用PASSWORD_BCRYPT和cost = 11你怎么看?
I think I will go with PASSWORD_BCRYPT and cost = 11 what do you think ?
<?php
$startpage = microtime(true);
$userPassword = "ILike5InchesIceCubes";
echo "<h2>Password we work on : " . $userPassword . "</h2></br></br>";
echo "<b>password_hash($userPassword, PASSWORD_BCRYPT) :</br></b>";
$start1 = microtime(true);
$hash = password_hash($userPassword, PASSWORD_BCRYPT);
echo "Hash is : " . $hash . "</br>";
echo "Encryption took : ". (microtime(true) - $start1) . " seconds </br>";
$start2 = microtime(true);
password_verify($userPassword, $hash);
echo "Password verification took : ". (microtime(true) - $start2) ." seconds </br></br>";
echo "<b>password_hash($userPassword, PASSWORD_DEFAULT) :</br></b>";
$start1 = microtime(true);
$hash = password_hash($userPassword, PASSWORD_DEFAULT);
echo "Hash is : " . $hash . "</br>";
echo "Encryption took : ". (microtime(true) - $start1) . " seconds </br>";
$start2 = microtime(true);
password_verify($userPassword, $hash);
echo "Password verification took : ". (microtime(true) - $start2) ." seconds </br></br>";
$cost = 4;
do {
echo "<b>password_hash($userPassword, PASSWORD_BCRYPT, [\"cost\" =>" . $cost . "])</br></b>";
$start1 = microtime(true);
$hash = password_hash($userPassword, PASSWORD_BCRYPT, ["cost" => $cost]);
echo "Hash is : " . $hash . "</br>";
echo "Encryption took : ". (microtime(true) - $start1) ." seconds </br>";
$start2 = microtime(true);
password_verify($userPassword, $hash);
echo "Password verification took : ". (microtime(true) - $start2) ." seconds </br></br>";
$cost++;
} while ($cost <= 16);
$endpage = microtime(true);
echo "The whole page took : ". ($endpage - $startpage) . " seconds </br>";
?>
推荐答案
是的, password_hash( ) 是要走的路。在Security StackExchange有一个很好的信息,有更多的信息这里:
使用bcrypt是一个好的开始;这是推荐的选择(或至少一个推荐的选择)。 文档似乎表明PHP最终做正确的事情。确保您的PHP版本至少为5.5.0。不要试图淡化盐:默认情况下,该功能将在需要时产生一个随机盐,这是正确的方法,所以只需让它完成它的工作。
Using bcrypt is a good start; that's the recommended choice (or at least one of the recommended choices). The documentation seems to indicate that PHP finally does things properly. Make sure that your PHP version is at least 5.5.0. Don't try to fiddle with salts: by default, the function will generate a random salt when needed, and that's the right way to do it, so just let it do its job.
您也应该尝试更改成本选项。对于bcrypt,成本是4到31之间的值;每个增量意味着密码散列是您的服务器和攻击者的两倍。实际上,考虑到您的服务器功耗,平均负载,峰值负载和最大用户耐心,您希望使该值达到可以容忍的程度:这将为您提供最佳的安全性,您可以希望。
You should try to alter the "cost" option as well. For bcrypt, the cost is a value ranging from 4 to 31; each increment means that the password hashing is twice as expensive, both for your server and for the attacker. In practice, you want to make that value as high as can be tolerated, given your server power, average load, peak load, and maximum user patience: this will give you the best security that you can hope for.
(请注意,我说最好,而不是好。)
(Note that I said "the best", not "good".)
如果你想了解基本概念好的密码散列,为什么bcrypt是一个不错的选择,从这里开始。
If you want to understand the underlying concepts for good password hashing, and why bcrypt is a good choice, start here.
password_hash()在PHP 5.5+ ,而且,连同 PASSWORD_BCRYPT ,应该是一个很好的方法。
password_hash() has been greatly improved in PHP 5.5+, and this, along with PASSWORD_BCRYPT, should be a good way to go.
这篇关于PHP password_hash()+ password_verify()今天(2016年5月)安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
