创建“密钥”的标准方法是什么?从一个值?
我需要获取用户的电子邮件地址并以某种方式操纵该值以得出自动生成的密码。我想确保每当用户需要检索其密码时我都可以重新创建相同的密码。
有这样做的标准方法吗?这就是“哈希”吗?如果有人能指出我正确的方向,我将不胜感激! :) 一旦我知道去哪里寻找,我就可以自己进行研究。
谢谢!
阳光明媚
I need to take a user's email address and somehow manipulate the value to come up with an auto-generated password. I want to make sure that I can re-create the same password whenever a user needs to retrieve their password.
Is there a standard way of doing this? Is this what a "hash" is? I would be greatly appreciative if someone could point me in the right direction! :) Once I know where to look, I can do the research myself.
Thanks!
Sunny
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
是的,这就是“哈希”。但是,我强烈反对这种方法,因为这意味着擅长密码分析的人只需知道系统上任何用户的电子邮件地址就可能为他们生成密码。
您建议的情况下的标准做法是,当用户忘记密码时,使用新的随机密码实际重置用户的密码。这使得他们以前的密码保持“安全”,以便有人碰巧用他们的密码拦截了电子邮件,它只会包含一个随机密码,而不是用户很可能在他们登录的每个其他网站上使用的密码。
密码重置后,应鼓励用户在首次登录时更改密码。
Yes, that's what a "hash" is. However, I would strongly caution against this approach, because it means that someone who's good at cryptographic analysis could potentially generate the password for any user on the system, just by knowing their email address.
Standard practice in the case you're suggesting is to actually reset the user's password with a new, random password when they forget their password. That keeps their previous password "safe," so that someone happens to intercept the email with their password, it will only contain a random password rather than a password that the user very likely uses for every other website they log in to.
After a password reset, users should be encouraged to change their password when they first log in.
哈希函数确实可以满足您的要求 - 它需要一些输入 x 并生成一个摘要 d,每当您再次为其提供输入 x 时,摘要 d 都会相同。
维基百科的更好定义,解释了这个属性:
但是,如果这是为了密码检索,我建议不要这样做。相反,我建议向他们发送一个重置密码的链接,然后让他们重置密码。
A hashing function does do what you're looking for - it takes some input x and generates a digest d that will be the same whenever you give it input x again.
A better definition from wikipedia, that explains this property:
However, if this is for password retrieval, I would advise against it. Instead, I would recommend the approach of sending them a link to reset their password, and then have them reset their password.
如果您正在执行某种密码重置系统,您应该只是随机生成他们的电子邮件密码,然后强制他们在初次登录时更改密码。如果他们需要在其他时间重置密码,则可以再次执行相同的过程。
If you are doing some sort of password reset system, you should just randomly generate a password to their email and than force them to change it on initial login. If they need to reset their password at some other time, than they can go through the same process again.
PHP 中的 md5 函数之类的东西将是一个很好的起点。但是,如果用户丢失了密码,为什么需要重新创建相同的自动生成密码呢?就个人而言,生成一个新的随机数更有意义。
Something like the md5 function in PHP would be a good place to start. However, why would you need to recreate the same autogenerated password if the user lost it ? Personally, it would make more sense to just generate a new random one.
哈希就像指纹。如果您有原始值(例如密码),您可以获取指纹并与数据库中的指纹进行比较。但是使用数据库中的指纹,您无法重新创建原始值(您无法从指纹创建人类)。
这似乎就是你想要的。但即便如此,它也可能不是您所需要的。从电子邮件地址的哈希生成密码意味着任何知道您如何对电子邮件地址进行哈希处理的人都可能知道每个密码。
如果您正在寻找密码恢复系统,则应该使用自助密码重置 系统。
A Hash is like a fingerprint. If you have the original value (the password for example), you can get the fingerprint and compare to the one you have in your database. But with the fingerprint you have in the database, you can't recreate the original value (you can't create an human from a fingerprint).
It seems to be what you want. But even so it could be not what you need. Generating a password from the hash of an email address means that anyone that know how you hash your email address will potentially know every password.
If you're looking to a password recovery system, you should instead use a Self-service password reset system.