The Common way is:
| Hash mode | Encrypt password |
| MD5 (' 123456 ') | e10adc3949ba59abbe56e057f20f883e |
| MD5 (' 123456 '. ($salt = ' salt ') | 207acd61a3c1bd506d7e9a4535359f8a |
| SHA1 (' 123456 ') | 40-bit ciphertext |
| Hash (' sha256 ', ' 123456 ') | 64-bit ciphertext |
| Hash (' sha512 ', ' 123456 ') | 128-bit ciphertext |
The longer the cipher, the longer it takes to run the pool on the same machine, the more secure it is.
The more common hashing method is MD5 + salt, which avoids the user setting a simple password and is easily cracked.
Password_hash
However, now the recommended is the Password_hash () function, you can easily add salt encryption to the password, and almost can not crack.
$password = ' 123456 '; Var_dump (Password_hash ($password, Password_default)); Var_dump (Password_hash ($password, Password_default));
The hash length generated by Password_hash is password_bcrypt--60 bit, password_default--60 bit ~ 255 bits. The Password_default value is related to the PHP version, which is equal to the other values, but does not affect the use.
Each time the Password_hash runs differently, it needs to be validated using the Password_verify function.
$password = ' 123456 '; $hash = Password_hash ($password, Password_default); Var_dump (Password_verify ($password, $hash));
Password_hash will store all the parameters of the hash calculation in the hash result, and can use Password_get_info to obtain the relevant information.
$password = ' 123456 '; $hash = Password_hash ($password, Password_default); Var_dump (Password_get_info ($hash));
Output
Array (3) {["Algo"]=> int (1) ["AlgoName"]=> string (6) "Bcrypt" ["Options"]=> Array (1) {["Cost"]=> int (10)}}Note: Salt is not included
It can be seen that my current version of PHP use Password_default is actually using Password_bcrypt.
The third parameter of the Password_hash ($password, $algo, $options) $options support setting a salt of at least 22 bits. However, it is still strongly recommended to use the default salt generated by PHP, and do not actively set salt.
When you want to update the encryption algorithm and encryption options, you can determine whether to re-encrypt by Password_needs_rehash, the following code is an official example
$options = Array (' cost ' = =);//Verify stored hash against Plain-text passwordif (Password_verify ($password, $hash)) { Check if a newer hashing algorithm is available//or the cost has changed if (Password_needs_rehash ($hash, Password_d Efault, $options)) { //If So, create a new hash, and replace the old one $newHash = Password_hash ($password, PASS Word_default, $options); }//Log user in}Password_needs_rehash can be understood to compare $algo + $option and Password_get_info ($hash) return values.
Password_hash Operation Slow
Password_hash is known to run slowly, which means that at the same time, the number of password retries is low and the risk of leakage is reduced.
$password = ' 123456 '; Var_dump (Microtime (true)); Var_dump (Password_hash ($password, Password_default)); Var_dump ( Microtime (true)); echo "\ n"; Var_dump (Microtime (true)); Var_dump (MD5 ($password)); for ($i = 0; $i < 999; $i + +) {MD5 ($password);} Var_dump (Microtime (true));Output
Float (1495594920.7034) string "$2Y$10$9ZLVGZQMIZPEKYIIUCHT6EUJQEBEKOAJFQO8/JW/Q6DMRMWNN0PDM" float ( 1495594920.7818) Float (1495594920.7818) string (+) "e10adc3949ba59abbe56e057f20f883e" float (1495594920.7823)
Password_hash runs for 784 milliseconds, and MD5 runs 1000 times for 5 milliseconds. This is a very rough comparison, which is related to running the machine, but it can also be seen that Password_hash is really very slow to run.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
