问题描述
http://codahale.com/how-to-safely-存储密码/
我对两件事感到困惑.如果PHP 7.0 bcrypt提供了随机盐.我们应该如何找回它以进行密码验证?
I am confused about two things. If PHP 7.0 bcrypt provides a randomized salt. How are we supposed to retrieve it for password verification?
我知道那里有像PBKDF2这样的关键扩展功能,但是有人可以向我解释为什么像scrypt这样的内存密集型哈希算法比bcrypt这样的方法更受青睐吗?除了暴力攻击方面.根据我在网上阅读的逻辑,人们建议对scrypt进行多次迭代.
I understand there key stretching functions like PBKDF2 but can someone explain to me why a memory intensive hashing algorithm like scrypt is preferred over something like bcrypt? Besides the brute-force attack aspect. From the logic I've read online, people recommend using scrypt with multiple iterations.
推荐答案
关于bcrypt和盐的第一个问题:盐包含在结果字符串以及 cost ,以及哈希字符串.三个字符串中的每个字符串都具有恒定的长度,因此以后可以很容易地对其进行检索.
First question about bcrypt and salt: salt is contained inside the result string as well as the cost, along with the hashed string. Each of three strings has constant length and thus can be retrieved easily thereafter.
有关更全面的说明,请参见此答案.
For a more thorough explanation, see this answer.
scrypt是bcrypt的较新版本,需要更多的RAM才能运行. RAM需求背后的原因是,使用现代GPU,多核等,可以很容易地对基于CPU周期的加密(基于I/O)进行暴力破解.另一端的RAM则不那么容易扩展,因此增加了从理论上讲,RAM +多种操作是一种更安全的方法.
scrypt is a newer version of bcrypt that requires more RAM to operate. The reason behind the RAM requirements is that CPU cycle based encryption (I/O based) is easily brute-forced using a modern GPU, multiple cores, etc. RAM on the other side is not so easy to scale, so a combination of increased RAM + multiple operations is theoretically a safer way.
在这个好答案中了解有关此内容的更多信息.
Read more about this in this great answer.
这篇关于在PHP中存储密码的正确方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!