PHP:当用户点击忘记密码时,如何将使用md5加密的原始密码发送给用户?

发布于 2024-08-31 08:32:10 字数 200 浏览 4 评论 0原文

我正在使用 md5 来加密我的项目中的密码。

当用户点击忘记密码并提交他的电子邮件时,我必须将他的密码发送给他。

但是密码是使用 md5 加密的。生成新密码不应该这样做。因为在这个项目中管理员可以看到用户的所有详细信息。所以我必须向管理员显示原始密码。所以初始密码非常重要。那么我如何解密密码或以其他方式向他发送原始密码?

提前致谢...

I am using md5 to encrypt the passwords in my project.

When user clicks on forgot password and submits his email,I have to send His password to him.

But the password is encrypted using md5.Generating new password should not do.Because In this project admin can see all the details of the user. So i have to show the original password to Admin. So The initial password is very important. SO how can i decrypt the password or any other way to send him original password?

Thanks in advance...

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

阳光下的泡沫是彩色的 2024-09-07 08:32:10

哈希值并不是为了解密而设计的,这就是为什么它们通常被称为“单向哈希值”而不仅仅是哈希值。

相反,要么...

  1. 生成一个新密码,对其进行哈希处理,存储新密码哈希值来代替旧密码,然后通过电子邮件将新生成的密码发送给用户。

  2. 生成新密码,对其进行哈希处理,将其存储在临时密码字段中,然后当用户使用该密码登录时,提示他们输入永久新密码。

  3. 生成一个随机数,将其存储在随机数字段中,然后通过电子邮件向用户发送与该随机数的链接,这将使他们能够访问页面以输入新密码。

第三个选项可能是最好的,因为它不会让阅读用户电子邮件的人清楚地看到实际密码(临时或非),并且由于它使用随机数,一旦使用它就不能被恶意用户再次使用。

对密码使用散列的原因是为了防止它们以恶意用户只需查看数据库即可确定密码的形式存储。

编辑:

“所以我必须向管理员显示原始密码。”

如果您对密码进行哈希处理,则这是不可能。一般来说,允许管理员查看用户的密码实际上是一个坏主意,因为很大一部分用户倾向于使用相同的密码来执行多项操作,而管理员只执行一项操作(例如,公司网络)可能不是许多其他事物(例如用户的网上银行系统)的管理员。

MD5不是加密算法,而是哈希算法。两者并不相同;加密被设计为可逆的(因此有补充术语“解密”),而散列被设计为仅单向的。

Hashes are not designed to be decrypted, which is why they're often referred to as "one-way hashes" instead of just hashes.

Instead, either...

  1. Generate a new password, hash that, store the new password hash in place of the old one, and email the newly generated password to the user.

  2. Generate a new password, hash it, store it in a field for temporary passwords, and then when the user logs in with that password, prompt them to enter a permanent new password.

  3. Generate a nonce, store it in a field for the nonce, and email the user a link with that nonce which will give them access to a page to enter a new password.

The third option is probably the best all around, since it doesn't leave an actual password (temporary or not) in plain view to someone reading the user's email, and since it utilizes a nonce, once it has been used it can't be used again by a malicious user.

The reason hashing is used for passwords is specifically to prevent them from being stored in a form where a malicious user could determine the password simply by looking at the database.

Edit:

"So i have to show the original password to Admin."

If you are hashing the password, this is not possible. In general, it is actually a bad idea to allow administrators to see users' passwords, because a large percentage of users tend to utilize the same password for multiple things, and the administrator of one thing (say, a company network) is probably not the administrator of many other things (say, a user's online banking system).

MD5 is not an encryption algorithm, it is a hashing algorithm. The two are not the same; encryption is designed to be reversible (hence the complementary term "decryption"), whereas hashing is designed to be one-way only.

累赘 2024-09-07 08:32:10

你不能。加密哈希[1]被称为“不可逆”的原因是它们无法逆转。这就是使用它们进行密码存储的全部意义 - 这意味着,如果坏人掌握了密码数据库,他就无法通过反转哈希值来找出所有密码是什么。

我从您的编辑中看到您的意图是向管理员用户显示用户的密码,而不是由用户自己恢复密码。这是一个非常糟糕的主意。许多用户试图通过在多个系统中使用相同的密码来减轻记住密码的负担,这意味着在您的系统中显示他们的密码很可能会危及他们在其他系统上的帐户em> 系统。

真实故事:早在 2000 年,我在一家生产语音邮件系统的初创公司找到了一份工作。为了在第一天向我介绍该产品,IT 总监让我创建了一个语音邮件帐户,我照做了,然后他在管理界面中将其显示出来。当我看到我的语音信箱 PIN 码显示在屏幕上供所有人看到时,我差点就死了。部分原因是这是一种极其糟糕的安全措施,但主要是因为,尽管他不知道,他现在知道我 ATM 卡的 PIN 码。这一切都很糟糕,很糟糕,很糟糕。不要那样做。


[1] MD5是一种散列算法,而不是加密算法。两者之间的关键区别在于,对于任何给定的散列算法,有无限数量的输入将产生相同的输出(这就是它不可逆的原因),而加密具有输入与输出的一一对应关系。输出。

You can't. The reason cryptographic hashes[1] are referred to as "non-reversible" is that they can't be reversed. Which is the entire point of using them for password storage - it means that, if a Bad Guy gets his hands on the password database, he can't just reverse the hash to find out what all the passwords are.

I see from your edit that your intent is to display the user's password to the admin user(s) rather than for password recovery by the user himself. This is a Very Bad Idea. Many users attempt to ease the burden of remembering passwords by using the same password for multiple systems, which means that displaying their password in your system has a high probability of compromising their accounts on other systems.

True story: Back in 2000, I took a job at a startup that produced voicemail systems. To introduce me to the product on my first day, the IT director had me create a voicemail account, which I did, then he brought it up in the admin interface. I just about died when I saw my voicemail PIN displayed on the screen for all to see. Partly because it was shockingly bad security practice, but mostly because, even though he didn't know it, he now knew the PIN for my ATM card. That's just bad, bad, bad all around. Don't do that.


[1] MD5 is a hashing algorithm, not an encryption algorithm. The key difference between the two is that, for any given hashing algorithm, there are an infinite number of inputs which will produce the same output (which is why it's not reversible), while encryption has a one-to-one correspondence of input to output.

天煞孤星 2024-09-07 08:32:10

如果密码已经过哈希处理,那么您可能必须创建一个随机密码并将其发送给用户。然后,在他们登录后,将他们带到“更改密码”屏幕,以便他们可以将密码更改为更容易记住的内容。

If the password has been hashed then you'll probably have to create a random password and send that to the user. Then, once they've logged in, take them to the Change Password screen so they can change their password to something more memorable.

做个ˇ局外人 2024-09-07 08:32:10

哈希值的一个特殊目的(除其他外)是,如果它工作完美的话,它是不可逆的。

“忘记密码”功能最常见的方法是生成新密码并告诉用户尽快更改密码。

One particular purpose (among others) of a hash value is that it's irreversible, if it works perfectly.

The most common way for a "forgot password" functionality is, to generate a new password and tell your user to change it as soon as possible.

甜`诱少女 2024-09-07 08:32:10

只是将其添加为旁注:

虽然您无法“散列”MD5 哈希值,但您可以在 Rainbow 表中查找它。 可能允许您将原始明文密码发送给用户。 我并不建议这样做,因为与仅创建新密码并将其发送给用户相比,这只是浪费资源。

来自http://en.wikipedia.org/wiki/Rainbow_table

彩虹表是一种查找表,提供时间-内存权衡,用于从哈希函数(通常是加密哈希函数)生成的密码哈希中恢复明文密码。一个常见的应用是使针对哈希密码的攻击变得可行。盐通常与散列密码一起使用,以使这种攻击更加困难,通常不可行。

另请参阅下面的评论以获取其他注释。

Just adding this as a sidenote:

While you cannot "unhash" the MD5 hash, you can look it up in a Rainbow table. That might allow you to send the original plaintext password to the user. I am not suggesting to do that though, because it's just a waste of resources compared to just creating a new password and sending that to the user instead.

From http://en.wikipedia.org/wiki/Rainbow_table:

A rainbow table is a lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function, often a cryptographic hash function. A common application is to make attacks against hashed passwords feasible. A salt is often employed with hashed passwords to make this attack more difficult, often infeasible.

Also see the comments below for additional notes.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文