雜湊

• 簡介

• 設定

• 基礎用法

  • 雜湊密碼
  • Verifying That a Password Matches a Hash
  • Determining if a Password Needs to be Rehashed

• Hash Algorithm Verification

簡介

Laravel 的 Hash Facade 提供了安全的 Bcrypt 與 Argon2 雜湊，用以儲存使用者密碼。若使用 Laravel 專案入門套件，則預設會使用 Bcrypt 來註冊與登入。

Bcrypt 是雜湊密碼的一個不錯的選擇，因為其「Work Factor(工作因)」是可調整的，這表示，隨著硬體功能的提升，我們也能調整產生雜湊所需的時間。在雜湊密碼時，慢即是好。若演算法需要更多的時間來雜湊密碼，惡意使用者要產生「彩虹表(Rainbow Table)」的時間也就更長。彩虹表是一個包含各種可能字串雜湊值的表格，可用來暴力破解密碼。

設定

By default, Laravel uses the bcrypt hashing driver when hashing data. However, several other hashing drivers are supported, including argon and argon2id.

You may specify your application's hashing driver using the HASH_DRIVER environment variable. But, if you want to customize all of Laravel's hashing driver options, you should publish the complete hashing configuration file using the config:publish Artisan command:

1php artisan config:publish hashing
1php artisan config:publish hashing

基礎用法

雜湊密碼

可以呼叫 Hash Facade 上的 make 方法來雜湊密碼：

 1<?php
 2 
 3namespace App\Http\Controllers;
 4 
 5use Illuminate\Http\RedirectResponse;
 6use Illuminate\Http\Request;
 7use Illuminate\Support\Facades\Hash;
 8 
 9class PasswordController extends Controller
10{
11    /**
12     * Update the password for the user.
13     */
14    public function update(Request $request): RedirectResponse
15    {
16        // Validate the new password length...
17 
18        $request->user()->fill([
19            'password' => Hash::make($request->newPassword)
20        ])->save();
21 
22        return redirect('/profile');
23    }
24}
 1<?php
 2 
 3namespace App\Http\Controllers;
 4 
 5use Illuminate\Http\RedirectResponse;
 6use Illuminate\Http\Request;
 7use Illuminate\Support\Facades\Hash;
 8 
 9class PasswordController extends Controller
10{
11    /**
12     * Update the password for the user.
13     */
14    public function update(Request $request): RedirectResponse
15    {
16        // Validate the new password length...
17 
18        $request->user()->fill([
19            'password' => Hash::make($request->newPassword)
20        ])->save();
21 
22        return redirect('/profile');
23    }
24}

調整 Bcrypt 的 Work Factor

若使用 Bcrypt 演算法，可使用 rounds 選項來在 make 方法中控制 Bcrypt 的 Work Factor。不過，Laravel 所控制的預設 Work Factor 對於大多數專案來說應是可接受的值：

1$hashed = Hash::make('password', [
2    'rounds' => 12,
3]);
1$hashed = Hash::make('password', [
2    'rounds' => 12,
3]);

調整 Argon2 的 Work Factor

若使用 Argon2 演算法，可使用 memory、time、threads 等選項來在 make 方法中控制 Argon2 演算法的 Work Factor。不過，Laravel 所控制的預設 Work Factor 對於大多數專案來說應是可接受的值：

1$hashed = Hash::make('password', [
2    'memory' => 1024,
3    'time' => 2,
4    'threads' => 2,
5]);
1$hashed = Hash::make('password', [
2    'memory' => 1024,
3    'time' => 2,
4    'threads' => 2,
5]);

Verifying That a Password Matches a Hash

Hash Facade 的 check 方法可用來驗證給定的純文字字串是否對應給定的雜湊：

1if (Hash::check('plain-text', $hashedPassword)) {
2    // The passwords match...
3}
1if (Hash::check('plain-text', $hashedPassword)) {
2    // The passwords match...
3}

Determining if a Password Needs to be Rehashed

Hash Facade 的 needsRehash 方法可用來判斷自從該密碼被雜湊以來 Hash 程式的 Work Factor 是否有經過更改。有的專案會在網站的身份驗證過程中做這項檢查：

1if (Hash::needsRehash($hashed)) {
2    $hashed = Hash::make('plain-text');
3}
1if (Hash::needsRehash($hashed)) {
2    $hashed = Hash::make('plain-text');
3}

Hash Algorithm Verification

To prevent hash algorithm manipulation, Laravel's Hash::check method will first verify the given hash was generated using the application's selected hashing algorithm. If the algorithms are different, a RuntimeException exception will be thrown.

This is the expected behavior for most applications, where the hashing algorithm is not expected to change and different algorithms can be an indication of a malicious attack. However, if you need to support multiple hashing algorithms within your application, such as when migrating from one algorithm to another, you can disable hash algorithm verification by setting the HASH_VERIFY environment variable to false:

1HASH_VERIFY=false
1HASH_VERIFY=false