问题
What is better with salt for password storage?
MD5:
$hash = md5($password . $salt);
Password_hash:
$hash = password_hash($password, PASSWORD_DEFAULT, $salt);
SHA1:
$result = sha1($salt.$string);
回答1:
You should absolutely use the password_hash() function without providing your own salt:
$hash = password_hash($password, PASSWORD_DEFAULT);
The function will generate a safe salt on its own. The other algorithms are ways too fast to hash passwords and therefore can be brute-forced too easily (about 8 Giga MD5 per second).
回答2:
Salts are great when you are storing lots of passwords, otherwise they are fairly useless since they are stored in plaintext. If an attacker manages to get your hashed passwords, then assume that they can get their hands on your salts. Use SHA-256 because it's a cryptographically strong hash function, and use salts. But most importantly, just use strong passwords combined with strong hashing algorithms.
来源:https://stackoverflow.com/questions/29147457/what-is-better-password-hash-vs-sha256-vs-sha1-vs-md5