dongle19863 2016-05-13 20:11
浏览 44
已采纳

如何使用CRYPT_SHA512增加crypt PHP API的salt长度?

<?php

  echo 'SHA-512:' . crypt('rasmuslerdorf', '$6$rounds=5000$usesomesillystringforsalt$');

Output: SHA-512: $6$rounds=5000$usesomesillystri$D4IrlXatmP7rx3P3InaxBeoomnAihCKRVQP22JZ6EY47Wc6BkroIuUUBOov1i.S5KPgErtP/EN5mcO.ChWQW21

It uses only 16 character salt : usesomesillystri

Refs: crypt — One-way string hashing

Question:

  • Is it possible to increase the salt length?
  • Is there any drawback if we increase the salt length?

Thanks in advance.

  • 写回答

1条回答 默认 最新

  • duandou8120 2016-05-15 13:57
    关注

    Two questions immediately come to mind:

    1. Why are you using CRYPT_SHA512 instead of CRYPT_BLOWFISH?
    2. Why are you using crypt() instead of password_hash()/password_verify()/password_needs_rehash()?

    One of the reasons you should use password_* instead of crypt() is it will generate a unique random salt for you. You really don't want to hand-roll your own salt generator if your goal is to be secure.

    Is it possible to increase the salt length?

    SHA512Crypt only allows a 16-character salt. Bcrypt uses a 22-character salt (a base64-encoded representation of a 128-bit random string).

    Let's quantify this: A 128-bit salt (powered by a CSPRNG) will repeat exactly once (with 50% probability) after 2^64 (1.8446744e+19, or 18,446,744,073,709,551,616) password hashes are generated.

    That's about 2.6 billion bcrypt hashes for every living person on planet Earth.

    You don't need a longer salt for any appreciable security gain.

    Is there any drawback if we increase the salt length?

    It will silently truncate and, while you may feel smart for seemingly using a longer salt, it will have no effect on the security.

    Further reading: How to safely store your users' passwords in 2016.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
编辑
预览

报告相同问题?

悬赏问题

  • ¥15 VAE代码如何画混淆矩阵
  • ¥15 求遗传算法GAMS代码
  • ¥15 雄安新区高光谱数据集的下载网址打不开
  • ¥66 android运行时native和graphics内存详细信息获取
  • ¥100 求一个c#通过CH341读取数据的Demo,能够读取指定地址值的功能
  • ¥15 rk3566 Android11 USB摄像头 微信
  • ¥15 torch框架下的强化学习DQN训练奖励值浮动过低,希望指导如何调整
  • ¥35 西门子博图v16安装密钥提示CryptAcquireContext MS_DEF_PROV Error of containger opening
  • ¥15 mes系统扫码追溯功能
  • ¥40 selenium访问信用中国
手机看
程序员都在用的中文IT技术交流社区

程序员都在用的中文IT技术交流社区

专业的中文 IT 技术社区,与千万技术人共成长

专业的中文 IT 技术社区,与千万技术人共成长

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

关注【CSDN】视频号,行业资讯、技术分享精彩不断,直播好礼送不停!

客服 返回
顶部