详谈PHP中的密码安全性Password Hashing

<?php//require 'password.php';/** * 正确的密码是secret-password * $passwordHash 是hash 后存储的密码 * password_verify()用于将用户输入的密码和数据库存储的密码比对。成功返回true，否则false */$passwordHash = password_hash('secret-password', PASSWORD_DEFAULT);echo $passwordHash;if (password_verify('bad-password', $passwordHash)) {  // Correct Password  echo 'Correct Password';} else {  echo 'Wrong password';  // Wrong password}

<?phpclass User{  // Store password options so that rehash & hash can share them:  const HASH = PASSWORD_DEFAULT;  const COST = 14;//可以确定该算法应多复杂，进而确定生成哈希值将花费多长时间。（将此值视为更改算法本身重新运行的次数，以减缓计算。）  // Internal data storage about the user:  public $data;  // Mock constructor:  public function __construct() {    // Read data from the database, storing it into $data such as:    // $data->passwordHash and $data->username    $this->data = new stdClass();    $this->data->passwordHash = 'dbd014125a4bad51db85f27279f1040a';  }  // Mock save functionality  public function save() {    // Store the data from $data back into the database  }  // Allow for changing a new password:  public function setPassword($password) {    $this->data->passwordHash = password_hash($password, self::HASH, ['cost' => self::COST]);  }  // Logic for logging a user in:  public function login($password) {    // First see if they gave the right password:    echo "Login: ", $this->data->passwordHash, "/n";    if (password_verify($password, $this->data->passwordHash)) {      // Success - Now see if their password needs rehashed      if (password_needs_rehash($this->data->passwordHash, self::HASH, ['cost' => self::COST])) {        // We need to rehash the password, and save it. Just call setPassword        $this->setPassword($password);        $this->save();      }      return true; // Or do what you need to mark the user as logged in.    }    return false;  }}