散列密码的最佳方法是什么? password_hash 是否足够安全或 PHP 7 中是否有更安全的方法?
What is the best way to hash a password? Is password_hash safe enough or is there a safer method in PHP 7?
散列密码的最佳方法是什么?我知道一种做得很好的方法,但我想知道在 PHP 7+ 和 password_hash() 中是否有更好的散列密码的方法。 password_hash 够好吗?
<?php
password_hash('PASSWORD HERE', PASSWORD_DEFAULT);
?>
"I was wondering if there is an even better way to hash passwords in PHP 7+ then password_hash. Is password_hash good enough?"
是的,它足够安全,是的,有一种 better/safer 的方式。从 PHP 7.2 开始,Argon2 是赢得 Password Hashing Competition 的新实现(散列)方法的一部分,如果您想将 PHP 版本升级到 7.2,它提供了更强大的方法.
上面的 wiki 声明:
Argon2, the recommended password hashing algorithm by the Password Hashing Competition, is a modern algorithm for securely hashing passwords. Argon2 addresses several key downsides of existing algorithms in that it is designed for the highest memory filling rate, and effective use multiple computing units while still providing defense against tradeoff attacks. Unlike Bcrypt, which just takes a single cost factor, Argon2 is parameterized by three distinct factors:
- A memory cost that defines memory usage of the algorithm
- A time cost that defines the execution time of the algorithm and the number of iterations
- And a parallelism factor, which defines the number of parallel threads
您还可以查看以下 link,其中包含有关 Libsodium https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016
的更多信息
http://php.net/manual/en/function.password-hash.php 上的手册还包含有关 PASSWORD_ARGON2I.
的信息
变更日志指出:
7.2.0 Support for Argon2 passwords using PASSWORD_ARGON2I was added.
如果升级到 PHP 7.2 不是一个选项,那么您可以增加 "cost"。
摘自 this answer and from the related post Generating Password Hash In PHP 5.5 And Setting Cost Option,我引用:
Increasing the cost parameter by 1, doubles the needed time to calculate the hash value. The cost parameter is the logarithm (base-2) of the iteration count, that means:
$iterations = 2 ^ $cost;
您还可以在 Stack Overflow 上查阅其他问答:
- How does password_hash really work?
散列密码的最佳方法是什么?我知道一种做得很好的方法,但我想知道在 PHP 7+ 和 password_hash() 中是否有更好的散列密码的方法。 password_hash 够好吗?
<?php
password_hash('PASSWORD HERE', PASSWORD_DEFAULT);
?>
"I was wondering if there is an even better way to hash passwords in PHP 7+ then password_hash. Is password_hash good enough?"
是的,它足够安全,是的,有一种 better/safer 的方式。从 PHP 7.2 开始,Argon2 是赢得 Password Hashing Competition 的新实现(散列)方法的一部分,如果您想将 PHP 版本升级到 7.2,它提供了更强大的方法.
上面的 wiki 声明:
Argon2, the recommended password hashing algorithm by the Password Hashing Competition, is a modern algorithm for securely hashing passwords. Argon2 addresses several key downsides of existing algorithms in that it is designed for the highest memory filling rate, and effective use multiple computing units while still providing defense against tradeoff attacks. Unlike Bcrypt, which just takes a single cost factor, Argon2 is parameterized by three distinct factors:
- A memory cost that defines memory usage of the algorithm
- A time cost that defines the execution time of the algorithm and the number of iterations
- And a parallelism factor, which defines the number of parallel threads
您还可以查看以下 link,其中包含有关 Libsodium https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016
的更多信息http://php.net/manual/en/function.password-hash.php 上的手册还包含有关 PASSWORD_ARGON2I.
变更日志指出:
7.2.0 Support for Argon2 passwords using PASSWORD_ARGON2I was added.
如果升级到 PHP 7.2 不是一个选项,那么您可以增加 "cost"。
摘自 this answer and from the related post Generating Password Hash In PHP 5.5 And Setting Cost Option,我引用:
Increasing the cost parameter by 1, doubles the needed time to calculate the hash value. The cost parameter is the logarithm (base-2) of the iteration count, that means:
$iterations = 2 ^ $cost;
您还可以在 Stack Overflow 上查阅其他问答:
- How does password_hash really work?