Laravel 密码盐存储在哪里?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/32030933/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Where are laravel password salts stored?
提问by Nicholas Pickering
Laravel uses bcryptto hash passwords.
Laravel 用于bcrypt散列密码。
According to this article, at some point in the process, the Hash::makefunction creates and uses a 22-length random string as a salt to generate the password.
根据这篇文章,在该过程的某个时刻,该Hash::make函数创建并使用一个 22 长度的随机字符串作为盐来生成密码。
For a single distinct password, Hash::makedoes return unique hashes, hinting that it does use some kind of salting somewhere in the process.
对于单个不同的密码,Hash::make确实返回唯一的哈希值,暗示它确实在过程中的某处使用了某种加盐。
But these salts are not stored in the users table, where I would expect them. How does laravel know the appropriate hash to use to verify the password?
但是这些盐并没有存储在我期望的用户表中。Laravel 如何知道用于验证密码的适当哈希值?
回答by duffn
The article that you linked seems to contain the answer. https://mnshankar.wordpress.com/2014/03/29/laravel-hash-make-explained/
您链接的文章似乎包含答案。 https://mnshankar.wordpress.com/2014/03/29/laravel-hash-make-explained/
The cleverness of this is that the algorithm, salt and cost are embedded into the hash and so can be easily parsed out into individual components for reconstruction/verification (Please see relevant sections of the php crypt source code at https://github.com/php/php-src/blob/master/ext/standard/crypt.c#L258). Because of this, you don't need to store the salt/cost separately in a database table.
这样做的巧妙之处在于算法、盐和成本都嵌入到哈希中,因此可以轻松地解析为单个组件以进行重构/验证(请参阅https://github.com上的 php crypt 源代码的相关部分 /php/php-src/blob/master/ext/standard/crypt.c#L258)。因此,您不需要将盐/成本单独存储在数据库表中。
