douhao2721
2016-08-03 20:12
浏览 27
已采纳

双密码_hash php

I was wondering if it was possible/wise to use password_hash twice for my users passwords on my website.

So let's say this:

  • User registers on my site, they enter a password, we will call this input.

  • During account creation, their password is $firstHash = password_hash($input, PASSWORD_BCRYPT) (For example sake, lets say this hashes to "thisFirstHash"

  • Once their password is hashed, it is hashed again $firstHash = password_hash($firstHash, PASSWORD_BCRYPT) (For example sake, lets say this hashes to "thisSecondHash")

  • This second hash is what is stored to the database, so now when they log in, the server has to decrypt a hashed hash.

  • When the user logs in, they enter their password again, we will again call this input

  • the server then has to reencrypt the input to compare with the saved hash $loginHash1 = password_hash($input, PASSWORD_BCRYPT)

  • The server compares the new loginHash1 variable with the saved hash password_verify($loginHash1,"thisSecondHash")

  • If the first hash matches, compare the second hash

  • password_verify($input,"thisFirstHash")

I couldn't quite get this to work properly in my small testing environment, I suspect it has something to do with the randomized salt being different during the login phase when rehashing the input.

So my questions are,

  1. Is it possible to do this?
  2. Is it beneficial to do this?

图片转代码服务由CSDN问答提供 功能建议

我想知道在我的网站上为我的用户密码使用password_hash两次是否可行/明智。

让我们这样说:

  • 用户在我的网站上注册,他们输入密码,我们会称之为 < 代码>输入

  • 在创建帐户期间,他们的密码是 $ firstHash = password_hash($ input,PASSWORD_BCRYPT)( 例如,让我们说 这个散列为“thisFirstHash”

  • 一旦他们的密码被哈希,它就会再次进行哈希 $ firstHash = password_hash($ firstHash ,PASSWORD_BCRYPT)(例如,让 say这个散列为“thisSecondHash”)

  • 这第二个散列是存储在数据库中的内容,所以 现在当他们 登录时,服务器必须解密哈希散列。

  • 当用户登录时,他们再次输入密码,我们将再次 call input

  • 然后服务器必须重新加密输入到比较 e使用保存的 hash $ loginHash1 = password_hash($ input,PASSWORD_BCRYPT)

  • 服务器比较新的 loginHash1 变量与保存的 hash password_verify($ loginHash1,“thisSecondHash”)

  • 如果第一个哈希匹配,则比较第二个哈希

  • <代码> password_verify($输入, “thisFirstHash”)

    我无法在我的小测试环境中正常工作,我怀疑它与登录阶段的随机盐在重新输入输入时有所不同。 < p>所以我的问题是,

    1. 是否可以这样做?
    2. 这样做有益吗?
  • 写回答
  • 好问题 提建议
  • 追加酬金
  • 关注问题
  • 收藏
  • 邀请回答

2条回答 默认 最新

  • doujiyun0041 2016-08-03 20:23
    已采纳

    The whole point of the password hashing API is to make it simple to implement secure hashing. Adding complexity as you are will not add any security, and it makes your code more difficult to debug. Use one password_hash and one password_verify. PHP's PASSWORD_DEFAULT is chosen to be very strong already:

    To hash

    $hash = password_hash($cleartext, PASSWORD_DEFAULT)
    

    To verify

    $isCorrect = password_verify($cleartext, $hash);
    

    If you're not happy with PHP's very strong defaults, you can look into the cost setting. But it's really not needed. The docs say:

    password_hash() uses a strong hash, generates a strong salt, and applies proper rounds automatically. password_hash() is a simple crypt() wrapper and compatible with existing password hashes. Use of password_hash() is encouraged.

    评论
    解决 无用
    打赏 举报
查看更多回答(1条)

相关推荐 更多相似问题