普通网友 2014-03-20 11:11
浏览 55
已采纳

PHP 5.5 password_ *函数重新散列

I have setup my password hashing using PHP password_* functions

1) password_hash($password, PASSWORD_BCRYPT, array("cost" => 11);

2) return password_verify($password, $hashedPassword)? true : false;

Everything work fine.

I found also password_needs_rehash() function, which tak 2 params, $hashedPassword and algorithm, example:

password_needs_rehash($hashedPassword, PASSWORD_BCRYPT);

I understand to use this when it's changed algorithm or cost, something like:

    if (!password_verify($password, $hashedPassword)) {
        return false;
    }
    if (password_needs_rehash($hashedPassword, PASSWORD_BCRYPT)) {

        $hashedPassword = password_hash($password, PASSWORD_BCRYPT);
        // update user password in database with $hashedPassword

    }
    return true;

Everything it's clear, I have just a doubt.

I try change the cost, without calling password_needs_rehash() function, and I am able to login.

I try also change on my function which generate hash, I change algorithm from PASSWORD_BCRYPT to PASSWORD_DEFAULT.

I am always able to login.

Can someone explain how does it work?

If we don't re-hash when algorithm change, how PHP password_* handle this?

PS A small question into question... Using php function_* does it raccomanded to use "salt" for password or not?

Thanks!!

  • 写回答

1条回答 默认 最新

  • dpcj32769 2014-03-20 11:22
    关注

    The algorithm used and its cost are embedded in the password hash. It's the first couple of letters:

    $2y$10$abcdefg...123456789...
 |  |    |        |
 |  |    |        +- the password hash
 |  |    +- the salt
 |  +- the cost parameter
 +- the algorithm type

    (Also see https://stackoverflow.com/a/16736254/476)

    As such, when verifying the password, password_verify knows what algorithm to use.

    The use of checking whether the password needs rehashing is to confirm whether the algorithm and cost factor embedded in the hash are still the same as the ones you would like to use. If they are not the same, you should rehash the password with the new configuration.

    The typical use is that over time, you will increase the cost factor as hardware gets faster and can handle hashing with larger costs. That does not suddenly invalidate your old passwords, those will still be confirmed using the old settings embedded in the hash. However, since you happen to have the plaintext password at hand at the time of verification, you should use that opportunity to update the hash with the newer settings.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度
  • ¥30 关于#r语言#的问题:如何对R语言中mfgarch包中构建的garch-midas模型进行样本内长期波动率预测和样本外长期波动率预测
  • ¥15 ETLCloud 处理json多层级问题
  • ¥15 matlab中使用gurobi时报错
  • ¥15 这个主板怎么能扩出一两个sata口
  • ¥15 不是,这到底错哪儿了😭
  • ¥15 2020长安杯与连接网探
  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么