password_hash 中的成本选项是什么?
What is the cost option in password_hash?
在 PHP 手册中有许多使用 password_hash 中的 cost 选项的例子。下面是一些示例代码,用于计算 cost:
的良好值
<?php
/**
* This code will benchmark your server to determine how high of a cost you can
* afford. You want to set the highest cost that you can without slowing down
* you server too much. 8-10 is a good baseline, and more is good if your servers
* are fast enough. The code below aims for ≤ 50 milliseconds stretching time,
* which is a good baseline for systems handling interactive logins.
*/
$timeTarget = 0.05; // 50 milliseconds
$cost = 8;
do {
$cost++;
$start = microtime(true);
password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
$end = microtime(true);
} while (($end - $start) < $timeTarget);
echo "Appropriate Cost Found: " . $cost . "\n";
?>
cost是什么意思?它有什么用?
https://wildlyinaccurate.com/bcrypt-choosing-a-work-factor/
The reason that the key setup phase can be potentially expensive is because it is run 2work times. As password hashing is usually associated with common tasks like logging a user into a system, it’s important to find the right balance between security and performance. Using a high work factor makes it incredibly difficult to execute a brute-force attack, but can put unnecessary load on the system.
来自wikipedia:
The cost parameter specifies a key expansion iteration count as a
power of two, which is an input to the crypt algorithm.
在 PHP 手册中有许多使用 password_hash 中的 cost 选项的例子。下面是一些示例代码,用于计算 cost:
<?php
/**
* This code will benchmark your server to determine how high of a cost you can
* afford. You want to set the highest cost that you can without slowing down
* you server too much. 8-10 is a good baseline, and more is good if your servers
* are fast enough. The code below aims for ≤ 50 milliseconds stretching time,
* which is a good baseline for systems handling interactive logins.
*/
$timeTarget = 0.05; // 50 milliseconds
$cost = 8;
do {
$cost++;
$start = microtime(true);
password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
$end = microtime(true);
} while (($end - $start) < $timeTarget);
echo "Appropriate Cost Found: " . $cost . "\n";
?>
cost是什么意思?它有什么用?
https://wildlyinaccurate.com/bcrypt-choosing-a-work-factor/
The reason that the key setup phase can be potentially expensive is because it is run 2work times. As password hashing is usually associated with common tasks like logging a user into a system, it’s important to find the right balance between security and performance. Using a high work factor makes it incredibly difficult to execute a brute-force attack, but can put unnecessary load on the system.
来自wikipedia:
The cost parameter specifies a key expansion iteration count as a power of two, which is an input to the crypt algorithm.