Я провел несколько тестов наodium_crypto_pwhash_str () с грубыми временными интервалами.В приведенном ниже коде тесты 1, 2 и 3 выполняются с паролями из 4, 40 и 400 символов.Это не имело никакого значения для времени или длины хеша.Тесты i, m и s используют SODIUM_CRYPTO_PWHASH _ * _ INTERACTIVE, SODIUM_CRYPTO_PWHASH _ * _ MODERATE и SODIUM_CRYPTO_PWHASH _ * _ SENSITIVE.Это привело к хэшам 97, 98 и 99 символов соответственно.Тесты * _SENSITIVE заняли примерно в 6 раз больше времени, чем тесты * _MODERATE.Эти последние заняли примерно в 6 раз больше времени, чем * _INTERACTIVE тесты.
Вот мой тестовый код.
$pass1 = bin2hex(openssl_random_pseudo_bytes(2));
$pass2 = bin2hex(openssl_random_pseudo_bytes(20));
$pass3 = bin2hex(openssl_random_pseudo_bytes(200));
$t = microtime(true);
$test1i = strlen(sodium_crypto_pwhash_str(
$pass1,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE));
$time1i = microtime(true) - $t;
$t = microtime(true);
$test1m = strlen(sodium_crypto_pwhash_str(
$pass1,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_MODERATE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_MODERATE));
$time1m = microtime(true) - $t;
$t = microtime(true);
$test1s = strlen(sodium_crypto_pwhash_str(
$pass1,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_SENSITIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_SENSITIVE));
$time1s = microtime(true) - $t;
$t = microtime(true);
$test2i = strlen(sodium_crypto_pwhash_str(
$pass2,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE));
$time2i = microtime(true) - $t;
$t = microtime(true);
$test2m = strlen(sodium_crypto_pwhash_str(
$pass2,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_MODERATE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_MODERATE));
$time2m = microtime(true) - $t;
$t = microtime(true);
$test2s = strlen(sodium_crypto_pwhash_str(
$pass2,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_SENSITIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_SENSITIVE));
$time2s = microtime(true) - $t;
$t = microtime(true);
$test3i = strlen(sodium_crypto_pwhash_str(
$pass3,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE));
$time3i = microtime(true) - $t;
$t = microtime(true);
$test3m = strlen(sodium_crypto_pwhash_str(
$pass3,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_MODERATE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_MODERATE));
$time3m = microtime(true) - $t;
$t = microtime(true);
$test3s = strlen(sodium_crypto_pwhash_str(
$pass3,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_SENSITIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_SENSITIVE));
$time3s = microtime(true) - $t;
$len1 = strlen($pass1);
$len2 = strlen($pass2);
$len3 = strlen($pass3);
$pLen1 = str_repeat(' ', 3 - strlen($len1)) . $len1;
$pLen2 = str_repeat(' ', 3 - strlen($len2)) . $len2;
$pLen3 = str_repeat(' ', 3 - strlen($len3)) . $len3;
printf("Pass length: %3s" .
'; I: %2d chars (%4.2f secs)' .
'; M: %2d chars (%4.2f secs)' .
'; S: %2d chars (%4.2f secs)' . PHP_EOL,
$len1, $test1i, $time1i, $test1m, $time1m, $test1s, $time1s);
printf("Pass length: %3s" .
'; I: %2d chars (%4.2f secs)' .
'; M: %2d chars (%4.2f secs)' .
'; S: %2d chars (%4.2f secs)' . PHP_EOL,
$len2, $test2i, $time2i, $test2m, $time2m, $test2s, $time2s);
printf("Pass length: %3s" .
'; I: %2d chars (%4.2f secs)' .
'; M: %2d chars (%4.2f secs)' .
'; S: %2d chars (%4.2f secs)' . PHP_EOL,
$len3, $test3i, $time3i, $test3m, $time3m, $test3s, $time3s);
Один прогон дал мне следующие результаты:
Pass length: 4; I: 97 chars (0.06 secs); M: 98 chars (0.37 secs); S: 99 chars (2.24 secs)
Pass length: 40; I: 97 chars (0.06 secs); M: 98 chars (0.36 secs); S: 99 chars (2.22 secs)
Pass length: 400; I: 97 chars (0.06 secs); M: 98 chars (0.36 secs); S: 99 chars (2.18 secs)
Однако я все еще не совсем доволен эмпирическим кодированием.: - (