哪一个是最适合PHP的密码哈希算法? [英] Which is the best password hashing algorithm for PHP?
问题描述
我正在阅读 <
我们要去看看密码哈希值。存储一个sha256散列,它是一个总是
的字符串,包含64个字符。
这篇文章教导如何使用 sha256 哈希函数。阅读完这篇文章之后,我并没有停下脚步,开始搜索更多有关创建安全登录系统的内容,然后通过 wikiHow 。在本文中,他们使用 sha512 哈希函数。这真让我困惑,我将用于我的下一个登录系统。我仍然搜索谷歌更好的文章,并通过 crackstation 找到本文。 。作者推荐sha256和sha512。
只有密码散列函数可以用来实现密码
hashing。像SHA256,SHA512,RipeMD和WHIRLPOOL这样的哈希函数是
的加密哈希函数。
我认为我的搜索结束了,我可以使用 sha256 或 sha512 函数,但是当搜索更多时,我发现这个 SO问题 。 Robert K 接受的答案对我来说有了新的东西。关于我以前从未听说过的事情是 bcrypt 和 scrypt 。 所有这些东西都写成约2到4年前。
问题 这是PHP最近使用的最好的密码散列算法? 这里最主要的是你想选择一个 slow 的散列。任何这些散列唯一可行的攻击矢量是暴力强制。意思是说,攻击者只能依次尝试所有可能的密码,使用与你一样的算法对它们进行哈希处理,并将它们与哈希进行比较。一个密码需要的时间越长,找到一个匹配就越不可行。 SHA系列算法设计的速度很快,因为它们不是为了用于此目的。因此,它们本身在某种程度上不适合密码散列;尽管它们可以用作使它们适合的算法的一部分,例如 PBKDF2 (其中简短地重复几千次的散列来 stretch )。
bcrypt和scrypt显式设计为缓慢并且更适合密码散列。 bcrypt的设计在CPU功耗方面非常昂贵,而scrypt在内存消耗方面的设计非常昂贵。使用今天的硬件,CPU能量比内存更好,所以scrypt目前被认为是最好的选择。尽管目前它非常尖端,并且在可用代码方面几乎没有支持。另一方面,PHP使用 password_hash 直接支持bcrypt 。
I was just reading a post to create a login system and while reading I saw about password hashing.
We are going to store an sha256 hash which is a string always containing 64 characters.
This article is teaching to use sha256 hash function. After reading this, I did not stop and started to search more about creating secure login system and then I came up with this article by wikiHow. In this article, they are using sha512 hash function. This really confused me that which function am I going to use for my next login system. I still searched google for better article and found this article by crackstation. The writer recommends both sha256 and sha512.
Only cryptographic hash functions may be used to implement password hashing. Hash functions like SHA256, SHA512, RipeMD, and WHIRLPOOL are cryptographic hash functions.
I thought my search is over and I can use sha256 or sha512 function but while searching more I found this SO Question. The accepted answer by Robert K had new things for me. The things about I have never heard before which is bcrypt and scrypt.
All this stuff was written about 2 to 4 years ago.
Question
Which is the best password hashing algorithm used these days for PHP?
The main thing here is that you want to choose a hash that is slow. The only feasible attack vector for any of these hashes is brute forcing. Meaning, an attacker can only try all possible passwords one after the other, hashing them using the same algorithm as you did and compare them to the hash. The longer this takes for one password the more infeasible it is to find a match.
The SHA family of algorithms is designed to be fast, because they're not designed to be used for this purpose. As such they are by themselves somewhat unsuitable for password hashing; though they can be used as part of an algorithm which makes them suitable, such as PBKDF2 (which in short repeats the hashing many thousands of times to stretch it).
bcrypt and scrypt are explicitly designed to be slow and are as such much more suitable for password hashing. bcrypt is designed to be very expensive in terms of CPU power, while scrypt is designed to be very expensive in terms of memory consumption. CPU power is better scalable using todays hardware than memory is, so scrypt is currently seen as the best thing to use. Though it is very cutting edge at the moment and has seen little support in terms of usable code. bcrypt on the other hand is supported by PHP using password_hash directly.
这篇关于哪一个是最适合PHP的密码哈希算法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
