问题
It is my belief that passwords hashed using PHP's password_hash() function may be transferred to different systems and still be successfully used for verification purposes.
It's my understanding that the bcrypt hash contains all the necessary components that, when combined with the plain text password, the given password may be verified. Because of this, the hash can be taken to any system with a compatible implementation and used for verification purposes.
I will be trying this out soon, but before I do I would like to know if my theory is correct.
Is this correct?
回答1:
Yes, it is correct. The documentation for password_verify states:
Note that
password_hash()
returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.
Of course it's also easy to see that this information is there by inspecting the output of password_hash
and crypt
(which is, to overgeneralize a bit, mostly the same thing).
回答2:
Yes, crypt()
based hashes are portable; they can be transferred to any system and they can be used to successfully verify a given password, because it contains all necessary data to perform this verification.
Note that a high cost factor may cause lesser systems to take longer to verify a password, due to the higher number of iterations required.
Also take care of the storage requirements; if you're always going to use bcrypt it's safe to store password hashes in varchar(60)
columns. Otherwise varchar(255)
is recommended.
回答3:
The bcrypt algorythm includes it's own vector and/or salt and should be portable. Neither hash nor vecotor/salt include anything specific to a system.
This should also be applicable to any other algorythm that either doesnt use a vecotr (or other element in addition to the hash) or includes this hash in it's output.
回答4:
I don't know where you wanna save the hash, but if you save it to database, usw the database own encryption/hash functions complain it
example (with encryption)
INSERT INTO table (pass_hash,....) VALUES ( MD2 | MD4 | MD5 | SHA | SHA1 | SHA2_256 | SHA2_512 (" $password ") )
SELECT * FROM table WHERE pass_hash = MD2 | MD4 | MD5 | SHA | SHA1 | SHA2_256 | SHA2_512 (" $password ")
来源:https://stackoverflow.com/questions/19005709/php-password-hash-are-password-hashes-portable-between-systems