PHP password_hash(): Are password hashes portable between systems?

徘徊边缘 提交于 2019-12-02 06:48:40

问题


It is my belief that passwords hashed using PHP's password_hash() function may be transferred to different systems and still be successfully used for verification purposes.

It's my understanding that the bcrypt hash contains all the necessary components that, when combined with the plain text password, the given password may be verified. Because of this, the hash can be taken to any system with a compatible implementation and used for verification purposes.

I will be trying this out soon, but before I do I would like to know if my theory is correct.

Is this correct?


回答1:


Yes, it is correct. The documentation for password_verify states:

Note that password_hash() returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.

Of course it's also easy to see that this information is there by inspecting the output of password_hash and crypt (which is, to overgeneralize a bit, mostly the same thing).




回答2:


Yes, crypt() based hashes are portable; they can be transferred to any system and they can be used to successfully verify a given password, because it contains all necessary data to perform this verification.

Note that a high cost factor may cause lesser systems to take longer to verify a password, due to the higher number of iterations required.

Also take care of the storage requirements; if you're always going to use bcrypt it's safe to store password hashes in varchar(60) columns. Otherwise varchar(255) is recommended.




回答3:


The bcrypt algorythm includes it's own vector and/or salt and should be portable. Neither hash nor vecotor/salt include anything specific to a system.

This should also be applicable to any other algorythm that either doesnt use a vecotr (or other element in addition to the hash) or includes this hash in it's output.




回答4:


I don't know where you wanna save the hash, but if you save it to database, usw the database own encryption/hash functions complain it

example (with encryption)

INSERT INTO table (pass_hash,....) VALUES ( MD2 | MD4 | MD5 | SHA | SHA1 | SHA2_256 | SHA2_512 (" $password ") )
SELECT * FROM table WHERE pass_hash = MD2 | MD4 | MD5 | SHA | SHA1 | SHA2_256 | SHA2_512 (" $password ")


来源:https://stackoverflow.com/questions/19005709/php-password-hash-are-password-hashes-portable-between-systems

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!