hash_pbkdf2 vs password_hash PHP functions

北战南征 提交于 2019-12-05 23:41:06
  1. The password hashing functions (such as password_hash) are preferred, as they automate more of the process, such as picking a salt, verifying passwords, and rehashing.

  2. The password_verify function will automatically detect what algorithm was used to generate a hash, so there's no compatibility issue.

  3. These functions are in a released version of PHP, so they should be fine to use.

  4. Use PHPass or a shim such as password_compat if your code needs to run on versions of PHP earlier than 5.5. Otherwise, use the password hashing functions.

The new function password_hash() is just a wrapper around the function crypt() and simplifies its usage. The crypt function returns hashes of this form:

 algorithm (BCrypt)
 |  cost factor (10)
 |  |  salt                  hash-value
 |  |  |                     |
 -- -- -----------------------------------------------------
$2y$10$nOUIs5kJ7naTuTFkBy1veuK0kSxUFXfuaOKdOKf9xYT0KKIGSJwFa

This means that the algorithm and all parameters are included, which are necessary to compare an entered password with the stored hash-value. Even if the default algorithm would change, the function password_verify() will be able to recognize the used algorithm, and can use the older algorithm to verify the password.

So this new password API is surely the most future-proof way to hash your passwords. You can even use it with older PHP versions with the compatibility pack.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!