What is the best way to hash a password? Is password_hash safe enough or is there a safer method in PHP 7?

后端 未结 1 1644
清酒与你
清酒与你 2021-01-18 04:41

What is the best way to hash a password? I know a way that does a good job, but I was wondering if there is an even better way to hash passwords in PHP 7+ then password_hash

1条回答
  •  粉色の甜心
    2021-01-18 05:26

    "I was wondering if there is an even better way to hash passwords in PHP 7+ then password_hash. Is password_hash good enough?"

    Yes it is safe enough, and yes there is a better/safer way. As of PHP 7.2, Argon2 is part of a newly implemented (hashing) method that won the Password Hashing Competition which offers a more robust method, should you want to upgrade your version of PHP to 7.2.

    The wiki on this states:

    Argon2, the recommended password hashing algorithm by the Password Hashing Competition, is a modern algorithm for securely hashing passwords. Argon2 addresses several key downsides of existing algorithms in that it is designed for the highest memory filling rate, and effective use multiple computing units while still providing defense against tradeoff attacks. Unlike Bcrypt, which just takes a single cost factor, Argon2 is parameterized by three distinct factors:

    1. A memory cost that defines memory usage of the algorithm
    2. A time cost that defines the execution time of the algorithm and the number of iterations
    3. And a parallelism factor, which defines the number of parallel threads

    You can also look into the following link which contains more information on Libsodium https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016

    The manual on http://php.net/manual/en/function.password-hash.php also contains information on PASSWORD_ARGON2I.

    The changelog states:

    7.2.0 Support for Argon2 passwords using PASSWORD_ARGON2I was added.


    If upgrading to PHP 7.2 is not an option, then you could increase the "cost".

    Pulled from this answer and from the related post Generating Password Hash In PHP 5.5 And Setting Cost Option, and I quote:

    Increasing the cost parameter by 1, doubles the needed time to calculate the hash value. The cost parameter is the logarithm (base-2) of the iteration count, that means:

    $iterations = 2 ^ $cost;

    You can also consult this other Q&A here on Stack Overflow:

    • How does password_hash really work?

    0 讨论(0)
提交回复
热议问题