Crypt() 函数的河豚盐长度?
根据 crypt() 文档,salt 必须是 22 个基数为 64 位的字母表./0-9A-Za-z".
According to the crypt() documentation, the salt needs to be 22 base 64 digits from the alphabet "./0-9A-Za-z".
这是他们给出的代码示例:
This is the code example they give:
crypt('rasmuslerdorf', '$2a$07$usesomesillystringforsalt$');
第一个令人困惑的部分是 salt 有 25 个字符,而不是 22 个.
The first confusing part is that salt has 25 characters, not 22.
问题 #1:这是否意味着盐应该长于超过 22 个字符?
Question #1: Does that mean the salt is supposed to be longer than 22 characters?
然后我自己测试了这个函数并注意到了一些东西.如果我使用 20 个字符的盐,我会得到这个
Then I tested the function myself and noticed something. If I use a 20 character salt, I get this
// using 20 char salt: 00000000001111111111
crypt('rasmuslerdorf', '$2a$07$00000000001111111111$');
// $2a$07$00000000001111111111$.6Th1f3O1SYpWaEUfdz7ieidkQOkGKh2
所以,当我使用 20 个字符的 salt 时,整个 salt 都在输出中.这很方便,因为那时我不必将盐存放在单独的地方.(我想使用随机盐).我将能够从生成的哈希中读取盐.
So, when I used a 20 character salt, the entire salt is in the output. Which is convenient, because I do not have to store the salt in a separate place then. (I want to use random salts). I would be able to read the salt back out of the generated hash.
但是,如果我按照文档所述使用 22 个字符的盐,或者使用更长的盐,盐会在最后被切断.
However, if I use a 22 character salt as the documentation says, or a longer one, the salt is cut off at the end.
// using 22 char salt: 0000000000111111111122
crypt('rasmuslerdorf', '$2a$07$0000000000111111111122$');
// $2a$07$000000000011111111112uRTfyYkWmPPMWDRM/cUAlulrBkhVGlui
// 22nd character of the salt is gone
// using 25 char salt: 0000000000111111111122222
crypt('rasmuslerdorf', '$2a$07$0000000000111111111122222$');
// $2a$07$000000000011111111112uRTfyYkWmPPMWDRM/cUAlulrBkhVGlui
// Same hash was generated as before, 21 chars of the salt are in the hash
问题 #2: 那么,盐的正确长度到底是多少?20?22?更长?
Question #2: So, what exactly is the proper length of a salt? 20? 22? Longer?
问题 #3: 另外,在检查密码时从哈希中读取盐值是否是个好主意?而不是将盐存储在一个单独的字段中并从那里读取它.(这似乎是多余的,因为盐似乎包含在哈希中).
Question #3: Also, is it a good idea to read the salt out of the hash when it is time to check passwords? Instead of storing the salt in a separate field and reading it from there. (Which seems redundant since the salt seems to be included in the hash).
推荐答案
Blowfish salts 应该是 22 个字符长(包括尾随的 $,所以 21) - 你可以用 var_dump(CRYPT_SALT_LENGTH)
仔细检查,我现在无法验证这一点,但我的猜测是,更少的字符会返回错误,更多的字符会被截断.
Blowfish salts should be 22 chars long (including the trailing $, so 21) - you can double check with var_dump(CRYPT_SALT_LENGTH)
, I can't verify this now but my guess is that less chars will return an error and more chars will be truncated.
关于您的第三个问题:是的,您应该使用哈希本身的嵌入式盐(和成本)参数读取并检查哈希.
Regarding your third question: yes, you should read and check the hash using the embedded salt (and cost) parameters from the hash itself.
相关文章