问题描述

散列密码的最佳方法是什么?我知道一种做得很好的方法，但是我想知道在PHP 7+中是否还有更好的方法来散列密码，而不是 password_hash() . password_hash够用吗?

What is the best way to hash a password? I know a way that does a good job, but I was wondering if there is an even better way to hash passwords in PHP 7+ then password_hash(). Is password_hash good enough?

<?php
password_hash('PASSWORD HERE', PASSWORD_DEFAULT);
?>

推荐答案

是的，它足够安全，是的，有更好/更安全的方法.从PHP 7.2开始，Argon2是新实现(散列)方法的一部分，该方法赢得了密码散列竞赛如果要将PHP版本升级到7.2，则是一种更可靠的方法.

Yes it is safe enough, and yes there is a better/safer way. As of PHP 7.2, Argon2 is part of a newly implemented (hashing) method that won the Password Hashing Competition which offers a more robust method, should you want to upgrade your version of PHP to 7.2.

关于 Wiki 的状态如下:

1. 定义算法的内存使用情况的内存成本
2. 定义算法执行时间和迭代次数的时间成本
3. 还有一个并行度因子，它定义了并行线程的数量

1. A memory cost that defines memory usage of the algorithm
2. A time cost that defines the execution time of the algorithm and the number of iterations
3. And a parallelism factor, which defines the number of parallel threads

您还可以查看以下链接，其中包含有关Libsodium的更多信息 https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016

You can also look into the following link which contains more information on Libsodium https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016

关于 http://php.net/manual/zh/function上的手册.password-hash.php 还包含有关 PASSWORD_ARGON2I 的信息.

The manual on http://php.net/manual/en/function.password-hash.php also contains information on PASSWORD_ARGON2I.

变更日志指出:

如果不能升级到PHP 7.2，则可能会增加成本".

If upgrading to PHP 7.2 is not an option, then you could increase the "cost".

从此答案和相关文章，我引用:

Pulled from this answer and from the related post Generating Password Hash In PHP 5.5 And Setting Cost Option, and I quote:

$ iterations = 2 ^ $ cost;

$iterations = 2 ^ $cost;

您还可以在此处通过Stack Overflow咨询其他问答:

You can also consult this other Q&A here on Stack Overflow:

• password_hash真正如何工作?

这篇关于哈希密码的最佳方法是什么? password_hash是否足够安全?PHP 7中是否有更安全的方法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！