在php手册中,很多例子都是在password_hash中使用cost 一些用于计算良好成本的示例
<?php
/**
* This code will benchmark your server to determine how high of a cost you can
* afford. You want to set the highest cost that you can without slowing down
* you server too much. 8-10 is a good baseline, and more is good if your servers
* are fast enough. The code below aims for ≤ 50 milliseconds stretching time,
* which is a good baseline for systems handling interactive logins.
*/
$timeTarget = 0.05; // 50 milliseconds
$cost = 8;
do {
$cost++;
$start = microtime(true);
password_hash("test", PASSWORD_BCRYPT, ["cost" => $cost]);
$end = microtime(true);
} while (($end - $start) < $timeTarget);
echo "Appropriate Cost Found: " . $cost . "\n";
?>
成本代表什么?
答案 0 :(得分:3)
https://wildlyinaccurate.com/bcrypt-choosing-a-work-factor/
密钥设置阶段可能很昂贵的原因是因为它运行2 work 次。由于密码散列通常与将用户登录到系统等常见任务相关联,因此在安全性和性能之间找到适当的平衡点非常重要。使用高工作因素会使执行暴力攻击变得异常困难,但会给系统带来不必要的负担。
答案 1 :(得分:3)
来自wikipedia:
cost参数指定密钥扩展迭代计数为a 2的幂,这是crypt算法的输入。