password_hash随机生成salt时,hash如何匹配?
How does the hash match when the salt is generated randomly in password_hash?
默认情况下随机生成盐时,此哈希解密如何工作。在我看来,它似乎是这样的:
password_hash(random_salt1+pw) != password_hash(random_salt2+pw)
随机生成的盐password_verify(random_salt2+pw)如何知道要解码的原始盐?
感谢您阅读本文。
它使用放置在散列中的参数在新文本(密码)上重新运行散列例程,如果匹配旧散列 BINGO。
如果您查看 password_hash() 的输出,所有参数都在结果散列中
查看示例
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT);
echo password_hash("rasmuslerdorf", PASSWORD_ARGON2I);
echo password_hash("rasmuslerdorf", PASSWORD_ARGON2ID);
结果
y$nbX83VUlyVstPCckavcJy.wQ84i8/cmBD/oeDV/zWrHXkuG6t/9fy
$argon2i$v=19$m=65536,t=4,p=1$QlQ4emNEb1UxR1JiTG5Ddw$vw4HeiM9CEo8c2KNUslpC7qpH9M9Lo+WxBhX0UPp4oo
$argon2id$v=19$m=65536,t=4,p=1$U1loZThCYWtXcnpYWWV3NAeO0Ig9a1/pwqK3NPeNxwQpRuml36pjN2UN5BaGVGo
请注意,即使您使用相同的密码(文本字符串),您也不会从 password_hash()
中获得相同的哈希值,这是因为盐是作为哈希过程的一部分随机生成的。
Also password_hash()
explicitly says DONT ADD YOUR OWN HASH. It generates a strong hash internally. A much better one that you are likely to create for yourself
From the manual of all places The used algorithm, cost and salt are returned as part of the hash. Therefore, all information that's needed to verify the hash is included in it. This allows the password_verify() function to verify the hash without needing separate storage for the salt or algorithm information.
Also from the manual Warning The salt option is deprecated. It is now preferred to simply use the salt that is generated by default. As of PHP 8.0.0, an explicitly given salt is ignored.
默认情况下随机生成盐时,此哈希解密如何工作。在我看来,它似乎是这样的:
password_hash(random_salt1+pw) != password_hash(random_salt2+pw)
随机生成的盐password_verify(random_salt2+pw)如何知道要解码的原始盐?
感谢您阅读本文。
它使用放置在散列中的参数在新文本(密码)上重新运行散列例程,如果匹配旧散列 BINGO。
如果您查看 password_hash() 的输出,所有参数都在结果散列中
查看示例
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT);
echo password_hash("rasmuslerdorf", PASSWORD_ARGON2I);
echo password_hash("rasmuslerdorf", PASSWORD_ARGON2ID);
结果
y$nbX83VUlyVstPCckavcJy.wQ84i8/cmBD/oeDV/zWrHXkuG6t/9fy
$argon2i$v=19$m=65536,t=4,p=1$QlQ4emNEb1UxR1JiTG5Ddw$vw4HeiM9CEo8c2KNUslpC7qpH9M9Lo+WxBhX0UPp4oo
$argon2id$v=19$m=65536,t=4,p=1$U1loZThCYWtXcnpYWWV3NAeO0Ig9a1/pwqK3NPeNxwQpRuml36pjN2UN5BaGVGo
请注意,即使您使用相同的密码(文本字符串),您也不会从 password_hash()
中获得相同的哈希值,这是因为盐是作为哈希过程的一部分随机生成的。
Also
password_hash()
explicitly says DONT ADD YOUR OWN HASH. It generates a strong hash internally. A much better one that you are likely to create for yourself
From the manual of all places The used algorithm, cost and salt are returned as part of the hash. Therefore, all information that's needed to verify the hash is included in it. This allows the password_verify() function to verify the hash without needing separate storage for the salt or algorithm information.
Also from the manual Warning The salt option is deprecated. It is now preferred to simply use the salt that is generated by default. As of PHP 8.0.0, an explicitly given salt is ignored.