我是password_hash
和password_verify
的新用户,它们似乎是安全存储密码的最有效方式!
我注意到password_hash
为同一plain-text
值every time
生成了不同的哈希值!
这意味着如果用户尝试使用密码(thisIsMyPassword)
创建帐户,则会生成类似此$2y$10$VCNH8ndve8hwbvLJ2nMHtOsEiigE4zA7ViADxCJfq9bmUCmkNkcce
的哈希,
如果另一个或同一个用户尝试使用相同的密码创建另一个帐户,即(thisIsMyPassword)
,则会创建该帐户,密码的哈希值将类似于$2y$10$Hqssc5nn3pzgfwqVwQrQz.Ny71q972RXmCmyV9ykywG8iELbsf47a
!
现在您看到相同的值,即(thisIsMyPassword)
导致不同的哈希值!
这样可以吗?
只要密码哈希在数据库中有所不同,让用户使用相同的密码是否可以?
答案 0 :(得分:2)
The password hash includes a so-called salt, a small random value, which is here to prevent dictionary attacks, here is what PHP manual says:
If omitted, a random salt will be generated by password_hash() for each password hashed. This is the intended mode of operation.
The value you get as the output, is not really a plain hash, but a string made of - algorithm id, salt and HASH(password,salt).
The used algorithm, cost and salt are returned as part of the hash. Therefore, all information that's needed to verify the hash is included. in it. This allows the password_verify() function to verify the hash without needing separate storage for the salt or algorithm information.