On 25 July 2024 23:54:53 BST, Nick Lockheart <li...@ageofdream.com> wrote:
>Doesn't password_hash() handle this automatically? The result of the
>password_hash() function includes the hash and the algorithm used to
>hash it. That way password_verify() magically works with the string
>that came from password_hash().
For password hashing, you are always retrieving the hash for a specific user,
and then making a yes/no decision about it. Indeed, it's an explicit aim that
an attacker can't take a password and quickly scan a captured database for
matching hashes.
For other uses of hashes, though, the opposite is true: you want to search for
matching hashes. For instance, when you store a file in git, it calculates the
SHA1 hash of its content to use as a lookup key. If that key already exists in
the local database, it assumes the content is the same.
That also demonstrates another difference: hashes are often shared between
applications, where they need to be using an agreed algorithm. If a package
manager requires SHA1 hashes of each file, you can't just substitute SHA256
hashes without some other agreed changes.
Tempting though a "secure_hash" function is, I don't think it's practical for a
lot of the places hashing is used.
Regards,
Rowan Tommins
[IMSoP]