所以這個問題在標題^^中很多。PHP password_hash()+ password_verify()今天安全嗎(2016年5月)?
下面是一個小小的php代碼,我測試了我的服務器性能(+結果的截圖),並向您展示了我打算如何使用password_hash()和password_verify()。
我想我會用PASSWORD_BCRYPT和成本= 11,你覺得怎麼樣?
<?php
$startpage = microtime(true);
$userPassword = "ILike5InchesIceCubes";
echo "<h2>Password we work on : " . $userPassword . "</h2></br></br>";
echo "<b>password_hash($userPassword, PASSWORD_BCRYPT) :</br></b>";
$start1 = microtime(true);
$hash = password_hash($userPassword, PASSWORD_BCRYPT);
echo "Hash is : " . $hash . "</br>";
echo "Encryption took : ". (microtime(true) - $start1) . " seconds </br>";
$start2 = microtime(true);
password_verify($userPassword, $hash);
echo "Password verification took : ". (microtime(true) - $start2) ." seconds </br></br>";
echo "<b>password_hash($userPassword, PASSWORD_DEFAULT) :</br></b>";
$start1 = microtime(true);
$hash = password_hash($userPassword, PASSWORD_DEFAULT);
echo "Hash is : " . $hash . "</br>";
echo "Encryption took : ". (microtime(true) - $start1) . " seconds </br>";
$start2 = microtime(true);
password_verify($userPassword, $hash);
echo "Password verification took : ". (microtime(true) - $start2) ." seconds </br></br>";
$cost = 4;
do {
echo "<b>password_hash($userPassword, PASSWORD_BCRYPT, [\"cost\" =>" . $cost . "])</br></b>";
$start1 = microtime(true);
$hash = password_hash($userPassword, PASSWORD_BCRYPT, ["cost" => $cost]);
echo "Hash is : " . $hash . "</br>";
echo "Encryption took : ". (microtime(true) - $start1) ." seconds </br>";
$start2 = microtime(true);
password_verify($userPassword, $hash);
echo "Password verification took : ". (microtime(true) - $start2) ." seconds </br></br>";
$cost++;
} while ($cost <= 16);
$endpage = microtime(true);
echo "The whole page took : ". ($endpage - $startpage) . " seconds </br>";
?>
是的。但是,如果使用PASSWORD_DEFAULT,那麼服務器升級可能會同時升級哈希算法。其實施這種方式來優雅地提升密碼哈希的安全性,當推薦使用新的算法而不是Bcrypt – JimL
是的,並且可以用盡可能高的成本進行驗證 –
這正是我以爲我在等待答案你的確認。用一個經典的i7 CPU 8G RAM暴力破解我的成本需要多長時間= 11實際的PASSWORD_DEFAULT? – shrimpdrake