3

cost在 PHP 手册中有许多使用password_hash. 以下是一些示例代码,用于计算 的良好值cost

<?php
/**
* This code will benchmark your server to determine how high of a cost you can
* afford. You want to set the highest cost that you can without slowing down
* you server too much. 8-10 is a good baseline, and more is good if your servers
* are fast enough. The code below aims for ≤ 50 milliseconds stretching time,
 * which is a good baseline for systems handling interactive logins.
 */
$timeTarget = 0.05; // 50 milliseconds 

$cost = 8;
do {
 $cost++;
 $start = microtime(true);
 password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
 $end = microtime(true);
} while (($end - $start) < $timeTarget);

echo "Appropriate Cost Found: " . $cost . "\n";
?>

是什么cost意思?它是干什么用的?

4

2 回答 2

4

来自维基百科

cost 参数将密钥扩展迭代计数指定为 2 的幂,这是 crypt 算法的输入。

于 2016-08-09T01:33:54.193 回答
3

https://wildlyinaccurate.com/bcrypt-choosing-a-work-factor/

密钥设置阶段可能很昂贵的原因是它运行了 2 个工作时间。由于密码散列通常与将用户登录到系统等常见任务相关联,因此在安全性和性能之间找到适当的平衡非常重要。使用高工作因子使得执行蛮力攻击变得异常困难,但会给系统带来不必要的负载。

于 2016-08-09T01:30:43.480 回答