-1

让我们对密码进行哈希和加盐:

<?php
$hash = password_hash('bonjour', PASSWORD_BCRYPT,  ['cost' => 12, ]);
// no salt option mentionned 
// then salt will be generated randomly, see password_hash documentation     
echo $hash;
?>

每次重新加载页面时结果都会发生变化,这是正常的:盐是随机生成的,它可以是:

$2y$12$FlxBBjTjelKkGY.SJarlL.THUZBwcl7M6V35DmZmTmYJZRwhpRkIW
$2y$12$p2pkD116hBHNc/2nyQ2WyOkrn.h8xvWvM1.Lmvsnhms2Y6zsb.j1e
$2y$12$u4ipdQQM926jfanpXnwtkupv2CH/uWoPvK563tG7p.z35GcOBOZdS
etc.

在前面的代码中,盐似乎无处存放(我错了吗?)。但最后password_verify能够使用哈希检查密码,并且它适用于每个结果,无论盐是什么。 

<?php
echo password_verify('bonjour', '$2y$12$FlxBBjTjelKkGY.SJarlL.THUZBwcl7M6V35DmZmTmYJZRwhpRkIW') ? 'yes' : 'no';
// yes
echo password_verify('bonjour', '$2y$12$p2pkD116hBHNc/2nyQ2WyOkrn.h8xvWvM1.Lmvsnhms2Y6zsb.j1e') ? 'yes' : 'no';
// yes
?>

password_verify无需存储即可检查密码是否正常salt

4

1 回答 1

1

来自 PHP.net 手册

Note that password_hash() returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.

基本上,盐是在散列中编码的。

于 2014-10-08T10:57:49.710 回答