问题描述

所以问题在于标题^^。

So the question is pretty much in the title ^^.

以下是一些我在服务器上测试性能的php代码（+结果屏幕截图）并且还会告诉你我打算如何使用非常简单的password_hash（）和password_verify（）。

Below is a little php code I did to test performance on my server ( + screenshot of the result ) and also show you how I intend to use very simply password_hash() and password_verify().

我想我会用PASSWORD_BCRYPT和cost = 11你怎么看？

I think I will go with PASSWORD_BCRYPT and cost = 11 what do you think ?

<?php
$startpage = microtime(true);
$userPassword = "ILike5InchesIceCubes";
echo "<h2>Password we work on :    " . $userPassword . "</h2></br></br>";


echo "<b>password_hash($userPassword, PASSWORD_BCRYPT) :</br></b>";
$start1 = microtime(true);
$hash = password_hash($userPassword, PASSWORD_BCRYPT);
echo "Hash is : " . $hash . "</br>";
echo "Encryption took : ". (microtime(true) - $start1) . " seconds </br>";
$start2 = microtime(true);
password_verify($userPassword, $hash);
echo "Password verification took : ". (microtime(true) - $start2) ." seconds </br></br>";

echo "<b>password_hash($userPassword, PASSWORD_DEFAULT) :</br></b>";
$start1 = microtime(true);
$hash = password_hash($userPassword, PASSWORD_DEFAULT);
echo "Hash is : " . $hash . "</br>";
echo "Encryption took : ". (microtime(true) - $start1) . " seconds </br>";
$start2 = microtime(true);
password_verify($userPassword, $hash);
echo "Password verification took : ". (microtime(true) - $start2) ." seconds </br></br>";

$cost = 4;
do {

        echo "<b>password_hash($userPassword, PASSWORD_BCRYPT, [\"cost\" =>" . $cost . "])</br></b>";
    $start1 = microtime(true);
    $hash = password_hash($userPassword, PASSWORD_BCRYPT, ["cost" => $cost]);
        echo "Hash is : " . $hash . "</br>";
        echo "Encryption took : ". (microtime(true) - $start1) ." seconds </br>";
        $start2 = microtime(true);
        password_verify($userPassword, $hash);
        echo "Password verification took : ". (microtime(true) - $start2) ." seconds </br></br>";

        $cost++;

} while ($cost <= 16);
$endpage = microtime(true);

echo "The whole page took : ". ($endpage - $startpage) . " seconds </br>";
?>

推荐答案

是的，是要走的路。在Security StackExchange有一个很好的信息，有更多的信息：

您也应该尝试更改成本选项。对于bcrypt，成本是4到31之间的值;每个增量意味着密码散列是您的服务器和攻击者的两倍。实际上，考虑到您的服务器功耗，平均负载，峰值负载和最大用户耐心，您希望使该值达到可以容忍的程度：这将为您提供最佳的安全性，您可以希望。

You should try to alter the "cost" option as well. For bcrypt, the cost is a value ranging from 4 to 31; each increment means that the password hashing is twice as expensive, both for your server and for the attacker. In practice, you want to make that value as high as can be tolerated, given your server power, average load, peak load, and maximum user patience: this will give you the best security that you can hope for.

（请注意，我说最好，而不是好。）

(Note that I said "the best", not "good".)

如果你想了解基本概念好的密码散列，为什么bcrypt是一个不错的选择，。

If you want to understand the underlying concepts for good password hashing, and why bcrypt is a good choice, start here.

password_hash（）在PHP 5.5+ ，而且，连同 PASSWORD_BCRYPT ，应该是一个很好的方法。

password_hash() has been greatly improved in PHP 5.5+, and this, along with PASSWORD_BCRYPT, should be a good way to go.

这篇关于PHP password_hash（）+ password_verify（）今天（2016年5月）安全吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！