5. 哈希函数的理解?
Using bcrypt is the currently accepted best practice for hashing passwords, but a large number of developers still use older and weaker algorithms like MD5 and SHA1. Some developers don’t even use a salt while hashing. The new hashing API in PHP 5.5 aims to draw attention towards bcrypt while hiding its complexity. In this article I’ll cover the basics of using PHP’s new hashing API.
使用bcrypt是当前公认的散列密码的最佳做法,但是许多开发人员仍在使用诸如MD5和SHA1之类的较早和较弱的算法。 一些开发人员甚至在哈希运算时都不使用盐。 PHP 5.5中的新哈希算法API旨在引起人们对bcrypt的关注,同时隐藏其复杂性。 在本文中,我将介绍使用PHP的新哈希API的基础知识。
The new password hashing API exposes four simple functions:
新的密码哈希API公开了四个简单的功能:
password_hash() – used to hash the password.
password_hash() –用于对密码进行哈希处理。
password_verify() – used to verify a password against its hash.
password_verify() –用于根据密码的哈希值验证密码。
password_needs_rehash() – used when a password needs to be rehashed.
password_needs_rehash() –需要重新输入密码时使用。
password_get_info() – returns the name of the hashing algorithm and various options used while hashing.
password_get_info() –返回哈希算法的名称以及哈希时使用的各种选项。
Although the crypt() function is secure, it’s considered by many to be too complicated and prone to programmer error. Some developers then use a weak salt and weak algorithm for generating a hash instead, for example:
尽管crypt()函数是安全的,但许多人认为它过于复杂并且容易出现程序员错误。 然后,一些开发人员使用弱盐和弱算法来生成哈希,例如:
<?php $hash = md5($password . $salt); // works, but dangerousBut the password_hash() function can simplify our lives and our code can be secure. When you need to hash a password, just feed it to the function and it will return the hash which you can store in your database.
但是password_hash()函数可以简化我们的生活,并且我们的代码可以安全。 当您需要对密码进行哈希处理时,只需将其提供给函数,它将返回可以存储在数据库中的哈希值。
<?php $hash = password_hash($password, PASSWORD_DEFAULT);That’s it! The first parameter is the password string that needs to be hashed and the second parameter specifies the algorithm that should be used for generating the hash.
而已! 第一个参数是需要散列的密码字符串,第二个参数指定应用于生成散列的算法。
The default algorithm is currently bcrypt, but a stronger algorithm may be added as the default later at some point in the future and may generate a larger string. If you are using PASSWORD_DEFAULT in your projects, be sure to store the hash in a column that’s capacity is beyond 60 characters. Setting the column size to 255 might be a good choice. You could also use PASSWORD_BCRYPT as the second parameter. In this case the result will always be 60 characters long.
默认算法当前为bcrypt,但是将来可能会在将来的某个时候添加更强大的算法作为默认算法,并且可能会生成更大的字符串。 如果在项目中使用PASSWORD_DEFAULT ,请确保将哈希存储在容量超过60个字符的列中。 将列大小设置为255可能是一个不错的选择。 您也可以使用PASSWORD_BCRYPT作为第二个参数。 在这种情况下,结果将始终为60个字符长。
The important thing here is that you don’t have to provide a salt value or a cost parameter. The new API will take care of all of that for you. And the salt is part of the hash, so you don’t have to store it separately. If you want to provide your own salt (or cost), you can do so by passing a third argument to the function, an array of options.
重要的是,您不必提供盐值或成本参数。 新的API将为您解决所有这些问题。 盐是哈希的一部分,因此您不必单独存储它。 如果您想提供自己的盐(或成本),可以通过将第三个参数传递给函数(选项数组)来实现。
<?php $options = [ 'salt' => custom_function_for_salt(), //write your own code to generate a suitable salt 'cost' => 12 // the default cost is 10 ]; $hash = password_hash($password, PASSWORD_DEFAULT, $options);In this way, you are always up-to-date with new security measures. If PHP later decides to implement a more powerful hashing algorithm your code can take advantage of it.
这样,您始终可以掌握最新的安全措施。 如果PHP以后决定实现更强大的哈希算法,则您的代码可以利用它。
Now that you have seen how to generate hashes with the new API, let’s see how to verify a password. Remember that you store the hashes in a database, but it’s the plain password that you get when a user logs in. The password_verify() function takes a plain password and the hashed string as its two arguments. It returns true if the hash matches the specified password.
既然您已经了解了如何使用新的API生成哈希,现在让我们看看如何验证密码。 请记住,您将哈希存储在数据库中,但这是用户登录时获得的普通密码。password_verify password_verify()函数将普通密码和哈希字符串作为两个参数。 如果哈希与指定的密码匹配,则返回true。
<?php if (password_verify($password, $hash)) { // Success! } else { // Invalid credentials }Just remember that the salt is a part of the hashed password which is why we are not specifying it separately here.
请记住,salt是哈希密码的一部分,这就是为什么我们不在此处单独指定它的原因。
What if you need to modify the salt and cost parameters for the hash strings? This is a concern as you might decide to improve security by adding a stronger salt or larger cost parameter. Moreover, PHP might change the default implementation of the hashing algorithm. In all of these cases, you would want to rehash the existing passwords.
如果您需要修改哈希字符串的salt和cost参数怎么办? 这是一个令人担忧的问题,因为您可能决定通过添加更强的盐或更大的成本参数来提高安全性。 而且,PHP可能会更改哈希算法的默认实现。 在所有这些情况下,您都需要重新哈希现有的密码。
helps checks if the specified hash implements a particular algorithm and uses specific options like cost and salt while being created.
帮助检查指定的哈希值是否实现特定算法,并在创建时使用特定选项(例如成本和盐)。
<?php if (password_needs_rehash($hash, PASSWORD_DEFAULT, ['cost' => 12])) { // the password needs to be rehashed as it was not generated with // the current default algorithm or not created with the cost // parameter 12 $hash = password_hash($password, PASSWORD_DEFAULT, ['cost' => 12]); // don't forget to store the new hash! }Keep in mind that you’ll need to do this when the user tries to login to your website as this is only time you have access to the plain password.
请记住,当用户尝试登录您的网站时,您将需要执行此操作,因为这仅是您有权访问纯密码的时间。
password_get_info() accepts a hash and returns an associative array of three elements:
password_get_info()接受一个散列,并返回三个元素的关联数组:
algo – a constant that identifies a particular algorithm
algo –标识特定算法的常数
algoName – the name of the algorithm used
algoName –使用的算法的名称
options – various options used while generating the hash
options –生成哈希时使用的各种选项
The new password hashing API is definitely easier to work with than fumbling with the crypt() function. If your website is currently running on PHP 5.5, then I strongly recommended that you use the new hashing API. Those who are using PHP 5.3.7 (or later) can use a library called password_compat which emulates the API and automatically disables itself once the PHP version is upgraded to 5.5.
新的密码哈希API肯定比使用crypt()函数更容易使用。 如果您的网站当前正在PHP 5.5上运行,那么我强烈建议您使用新的哈希API。 使用PHP 5.3.7(或更高版本)的用户可以使用一个名为password_compat的库,该库模仿API,并在PHP版本升级到5.5后自动禁用其自身。
翻译自: https://www.sitepoint.com/hashing-passwords-php-5-5-password-hashing-api/
5. 哈希函数的理解?
相关资源:PHP 5.5 创建和验证哈希最简单的方法详解