correct use of password_hash

a 夏天 提交于 2019-12-08 04:07:24

问题


I am trying to figure out the correct use of password_hash I have the following script below

<?php
  $password = "test3";
  $hashAndSalt = password_hash($password, PASSWORD_BCRYPT);

  echo $hashAndSalt;
?>

as far as I know this is supposed to create a salt too?

When ever I run the script the beginning of the hash starts with "$2y$10$" the remainder always changes on each run.

$2y$10$.YHHLeFYcQoE6c//vl587uIFTOljmpmuDnSA0w0dxo1Rrpvi5zM9m   <- run one
$2y$10$b6n3chpTQk1X7c0OdPp0ceZmw3GvZFsLx9FHq9RnYaJgbld915oYG   <- run two
$2y$10$AGffB7R1rTko8UmS1m6wT.ybG78.CkwrxqoRteNMeRPXexpSJW5iO   <- run three

Is it supposed to work like this? is this the correct way of storing password in database?


回答1:


$2y$10$.YHHLeFYcQoE6c//vl587uIFTOljmpmuDnSA0w0dxo1Rrpvi5zM9m
|  |  |                    |                               |
|  |  |                    |                               |
|  |  |                    |---------------------------------Hashed Password
|  |  |----------------------Salt
|  |----Cost
----Algorithm

The hash contains all the information necessary to see if the password matches the hash for a given string. You know the algorithm it was hashed with, the salt, and what it hashed to. So all you have to do is supply a string, pass it through the same algorithm with the same salt and cost, and it will either equal the hash or not.

So to answer your question, yes it is supposed to work like that. The salt changes every time, which means the hashed password changes every time, but you can always check if a password hashes to the same hashed password, because the hash contains the salt.



来源:https://stackoverflow.com/questions/24875986/correct-use-of-password-hash

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!