PASSWORD_DEFAULT vs PASSWORD_BCRYPT

一曲冷凌霜 提交于 2019-12-18 18:56:32

问题


What is the difference between PASSWORD_DEFAULT and PASSWORD_BCRYPT? Do they both use Blowfish encryption algorithm? What is cost in an algorithm? How to set up password_hash in PHP produce a 255-hash length instead of 60?


回答1:


Currently PASSWORD_BCRYPT is the only algorithm supported (using CRYPT_BLWFISH), therefore there is currently no difference between PASSWORD_DEFAULT and PASSWORD_BCRYPT. The purpose of PASSWORD_DEFAULT is to allow for the inclusion of additional algorithms in the future, whereupon PASSWORD_DEFAULT will always be used to apply the strongest supported hashing algorithm.

Cost is related to the number of iterations of the algorithm that are executed, and affects the speed of calculation as well as the hash value generated. Higher costs take longer to execute, slowing brute force attacks




回答2:


Per the documentation PASSWORD_DEFAULT is meant to be future proof

From the docs:

PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).




回答3:


There is no difference between PASSWORD_DEFAULT and PASSWORD_BCRYPT for the moment (http://www.php.net/manual/en/password.constants.php). The cost will depend on the number of rounds the hash will be applied. It is also explained in the link above. If you want to increase the security of your hash, you better increase the number of rounds instead of the length.



来源:https://stackoverflow.com/questions/22393143/password-default-vs-password-bcrypt

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!