<?php
echo 'SHA-512:' . crypt('rasmuslerdorf', '$6$rounds=5000$usesomesillystringforsalt$');
Output:
SHA-512: $6$rounds=5000$usesomesillystri$D4IrlXatmP7rx3P3InaxBeoomnAihCKRVQP22JZ6EY47Wc6BkroIuUUBOov1i.S5KPgErtP/EN5mcO.ChWQW21
It uses only 16 character salt : usesomesillystri
Refs: crypt — One-way string hashing
Question:
Thanks in advance.
分享 Two questions immediately come to mind:
CRYPT_SHA512 instead of CRYPT_BLOWFISH?crypt() instead of password_hash()/password_verify()/password_needs_rehash()?One of the reasons you should use password_* instead of crypt() is it will generate a unique random salt for you. You really don't want to hand-roll your own salt generator if your goal is to be secure.
Is it possible to increase the salt length?
SHA512Crypt only allows a 16-character salt. Bcrypt uses a 22-character salt (a base64-encoded representation of a 128-bit random string).
Let's quantify this: A 128-bit salt (powered by a CSPRNG) will repeat exactly once (with 50% probability) after 2^64 (1.8446744e+19, or 18,446,744,073,709,551,616) password hashes are generated.
That's about 2.6 billion bcrypt hashes for every living person on planet Earth.
You don't need a longer salt for any appreciable security gain.
Is there any drawback if we increase the salt length?
It will silently truncate and, while you may feel smart for seemingly using a longer salt, it will have no effect on the security.
Further reading: How to safely store your users' passwords in 2016.
分享
