PHP哈希方法怎么改?
How can PHP Hash method change?
在 PHP 的网站上:http://php.net/manual/en/password.constants.php,声明如下:
PASSWORD_DEFAULT (integer)
The default algorithm to use for hashing if no algorithm is provided. This may change in newer PHP releases when newer, stronger hashing algorithms are supported.
It is worth noting that over time this constant can (and likely will) change. Therefore you should be aware that the length of the resulting hash can change. Therefore, if you use PASSWORD_DEFAULT you should store the resulting hash in a way that can store more than 60 characters (255 is the recomended width).
怎么会这样?如果有人设置了他们的密码,并且在数据库中设置了散列,然后方法改变了,他们将无法进入,因为该方法会产生不同的散列,不是吗?
当您使用 hash_password() 函数散列密码时,有关所用算法和成本的信息包含在 return 字符串中。因此,password_verify() 始终可以在给定特定哈希的情况下检查提供的密码是否有效。
请参阅 password_hash() 的文档:
The used algorithm, cost and salt are returned as part of the hash. Therefore, all information that's needed to verify the hash is included in it. This allows the password_verify() function to verify the hash without needing separate storage for the salt or algorithm information.
还有一个函数password_needs_rehash()可以用来检查某个散列是否已经用旧算法计算过,在这种情况下必须计算一个新的散列。由于在登录时密码以明文形式提供,因此您可以(并且应该)在需要时重新哈希密码。
文档中有关值随时间变化的警告是为了让用户知道计算出的哈希值的长度可能会发生变化。但是,这些函数旨在向后兼容旧的(通常较短的)散列。
在 PHP 的网站上:http://php.net/manual/en/password.constants.php,声明如下:
PASSWORD_DEFAULT (integer) The default algorithm to use for hashing if no algorithm is provided. This may change in newer PHP releases when newer, stronger hashing algorithms are supported.
It is worth noting that over time this constant can (and likely will) change. Therefore you should be aware that the length of the resulting hash can change. Therefore, if you use PASSWORD_DEFAULT you should store the resulting hash in a way that can store more than 60 characters (255 is the recomended width).
怎么会这样?如果有人设置了他们的密码,并且在数据库中设置了散列,然后方法改变了,他们将无法进入,因为该方法会产生不同的散列,不是吗?
当您使用 hash_password() 函数散列密码时,有关所用算法和成本的信息包含在 return 字符串中。因此,password_verify() 始终可以在给定特定哈希的情况下检查提供的密码是否有效。
请参阅 password_hash() 的文档:
The used algorithm, cost and salt are returned as part of the hash. Therefore, all information that's needed to verify the hash is included in it. This allows the password_verify() function to verify the hash without needing separate storage for the salt or algorithm information.
还有一个函数password_needs_rehash()可以用来检查某个散列是否已经用旧算法计算过,在这种情况下必须计算一个新的散列。由于在登录时密码以明文形式提供,因此您可以(并且应该)在需要时重新哈希密码。
文档中有关值随时间变化的警告是为了让用户知道计算出的哈希值的长度可能会发生变化。但是,这些函数旨在向后兼容旧的(通常较短的)散列。