将 MD5+Salt 密码导入 MD5
我正在将我的网站从 oscommerce 商店转移到商业应用程序。
新应用程序使用直接 MD5 加密来存储密码。 Oscommerce 使用 MD5 存储密码,但还会向哈希值添加一个随机的 2 位数字(以明文形式提供)。
以下是某人在论坛上发布的内容:
添加的两个字符是为了以这样的方式创建哈希
hash=md5(双字符明文密码)
即:2个字母:74
普通密码:PaSs
哈希=md5('74PaSs')=acaa6e689ae0008285320e6617ca8e95:74
以下是 Oscommerce 如何加密密码的代码:
// This function makes a new password from a plaintext password.
function tep_encrypt_password($plain) {
$password = '';
for ($i=0; $i<10; $i++) {
$password .= tep_rand();
}
$salt = substr(md5($password), 0, 2);
$password = md5($salt . $plain) . ':' . $salt;
return $password;
}
// This funstion validates a plain text password with an encrypted password
function tep_validate_password($plain, $encrypted) {
if (tep_not_null($plain) && tep_not_null($encrypted)) {
// split apart the hash / salt
$stack = explode(':', $encrypted);
if (sizeof($stack) != 2) {
return false;
}
if (md5($stack[1] . $plain) == $stack[0]) {
return true;
}
}
return false;
}
以下是我的新购物车如何加密密码:
if ($admin_password_encrypt == 1) {
$password_match = md5($password);
} else {
$password_match = $password;
}
是否有任何可能的方法将客户密码从我的 oscommerce 购物车导入到我的新购物车。
I'm moving my site from an oscommerce store to a commercial application.
The new application stores its passwords using straight MD5 encryption. Oscommerce stores the password using MD5, but also adds a random 2 digit number (provided in plaintext) to the hash.
Here is what someone posted on a forum:
The two characters added are for creating the hash in such way that
hash=md5(twocharactersPlainPassword)
ie: 2letters: 74
Plain Password: PaSs
hash=md5('74PaSs')=acaa6e689ae0008285320e6617ca8e95:74
Here is the code how Oscommerce encrypts the password:
// This function makes a new password from a plaintext password.
function tep_encrypt_password($plain) {
$password = '';
for ($i=0; $i<10; $i++) {
$password .= tep_rand();
}
$salt = substr(md5($password), 0, 2);
$password = md5($salt . $plain) . ':' . $salt;
return $password;
}
// This funstion validates a plain text password with an encrypted password
function tep_validate_password($plain, $encrypted) {
if (tep_not_null($plain) && tep_not_null($encrypted)) {
// split apart the hash / salt
$stack = explode(':', $encrypted);
if (sizeof($stack) != 2) {
return false;
}
if (md5($stack[1] . $plain) == $stack[0]) {
return true;
}
}
return false;
}
Here is how my new cart encrypts the password:
if ($admin_password_encrypt == 1) {
$password_match = md5($password);
} else {
$password_match = $password;
}
Is there any possible way of importing customer passwords from my oscommerce cart to my new cart.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
不要在数据库中保存纯 MD5 哈希值。 可以使用彩虹表快速轻松地对普通 MD5 哈希值进行逆向工程。 但是,无论您将来选择如何存储密码,解决问题的方法如下:
无论如何,我想重申,对于大多数密码来说,简单的 MD5 哈希很容易破解(因为人们喜欢简短且易于记住的密码。)使用盐和/或更复杂的算法。 我推荐两者,并使用长度超过两个字符且不限于数字的盐。 这将使密码真正安全。
Do not save plain MD5 hashes in your database. Plain MD5 hashes can be reverse engineered quickly and easily using rainbow tables. However, here's how you solve your problem, no matter how you choose to store the passwords in the future:
Anyways, I want to reiterate that plain MD5 hashes are easy to crack for most passwords (since people like short and easy to remember passwords.) Use a salt and/or a more complex algorithm. I'd recommend both, and use a salt that is longer than two characters and not limited to numbers. This will make the passwords really secure.
您似乎拥有新购物车的源代码。 由于“直接 MD5”是一种非常糟糕的密码存储方式,也许您应该简单地更改为使用与 OSCommerce 相同的密码存储机制。
您的问题的答案是否定的,没有办法转换密码。
It appears that you have the source code for your new cart. Since "straight MD5" is a terribly awful way of storing passwords, perhaps you should simply change the to use the same password storage mechanism as OSCommerce.
The answer to your question is no, there is no way of converting the passwords.
不。MD5 是一种哈希算法,它是一种单向函数。 您无法在 oscommerce 系统上反转哈希以删除盐并重新哈希。 对不起。
No. MD5 is a hash algorithm, which is a one-way function. You cannot reverse the hash on your oscommerce system to remove the salt and rehash. Sorry.
如果密码使用 md5 加密,您将无法解密它们。 您最好的方法是检查您的登录代码是否创建帐户/上次更改密码是否发生在特定日期之前。 如果是,请使用 OSCommerce 的密码验证功能,如果没有,请使用您自己的。
这样,对于所有新帐户,密码将使用新方法进行加密,而对于旧帐户,您将继续照常处理它们,因此对用户来说是透明的。
另一个可能更好的选择是继续使用 OsCommerce 的加盐方法。 它更安全,而且您还可以保留现有的密码。
If the passwords are encrypted with md5, you won't be able to decrypt them. Your best possibility can be to check in your login code whether the creation of an account/last password change occurred before a certain date. If so, use OSCommerce's password validation function, if not, use your own.
This way, for all new accounts the passwords will be encrypted with the new method, and for old accounts you'd continue to handle them as usual, so it'll be transparent to users.
Another, and possibly better option is that you continue to use the salting method of OsCommerce. It is more secure, and you'll also get to keep your existing passwords.
哈希算法之间没有自动转换的方法。 不幸的是,您可能会陷入以下错误选项之一:
There is no method for automatic conversion between hash algorithms. Unfortunately you would likely be stuck picking from one of the following bad options: