PHP password_hash():密码哈希在系统之间可移植吗?
我相信使用PHP的password_hash()函数散列的密码可能会转移到不同的系统,并且仍然可以成功地用于验证目的.
It is my belief that passwords hashed using PHP's password_hash() function may be transferred to different systems and still be successfully used for verification purposes.
据我了解,bcrypt哈希包含所有必要的组件,当与纯文本密码结合使用时,可以验证给定的密码.因此,哈希可以带到具有兼容实现的任何系统中,并用于验证目的.
It's my understanding that the bcrypt hash contains all the necessary components that, when combined with the plain text password, the given password may be verified. Because of this, the hash can be taken to any system with a compatible implementation and used for verification purposes.
我会尽快尝试,但是在我想知道我的理论是否正确之前.
I will be trying this out soon, but before I do I would like to know if my theory is correct.
这正确吗?
是的,这是正确的. password_verify 的文档指出:
Yes, it is correct. The documentation for password_verify states:
请注意,
password_hash()返回算法,成本和费用作为一部分 返回的哈希值.因此,所有需要的信息 验证哈希值是否包含在其中.这使验证功能可以 验证哈希而不需要单独存储盐或 算法信息.
Note that
password_hash()returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.
当然,通过检查password_hash和crypt的输出,也很容易看到此信息(这是有点笼统的说法,基本上是同一件事).
Of course it's also easy to see that this information is there by inspecting the output of password_hash and crypt (which is, to overgeneralize a bit, mostly the same thing).