duancan1900 2015-03-18 20:47
浏览 50
已采纳

在PHP中最安全地使用bcrypt [关闭]

Other than just hashing the password like that:

password_hash($password, PASSWORD_BCRYPT);

What is the recommended rounds of iteration for bcrypt? I know for certain that four rounds of blowfish are susceptible to a second-order differential attack but the server utilizing the process of hashing would probably be fine with a lot bigger cost in most cases. 14 rounds can be distinguished from a pseudorandom permutation so that's ruled out as well.

Is 16 the highest possible cost? Also how is the salt being generated (if omitted)?

  • 写回答

1条回答 默认 最新

  • dongqing483174 2015-03-18 21:15
    关注

    In case of BCrypt you do not specify the number of rounds, instead you define a cost factor. The cost factor will be raised to the power of 2, that means, increasing the cost factor by 1, will double the computing time.

    $numberofRounds = 2 ^ $costFactor

    The default value is currently 10, the highest possible value is currently 31. To determine the cost factor you should go the other way round, measure the time your server needs for different cost factors. Then you can decide what cost factor is bearable for your server.

    There is a small example script in the PHP documentation, which helps finding an appropriate cost factor.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 基于卷积神经网络的声纹识别
  • ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
  • ¥100 为什么这个恒流源电路不能恒流?
  • ¥15 有偿求跨组件数据流路径图
  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图
  • ¥15 stm32开发clion时遇到的编译问题