使用 salt 验证用户登录
我正在使用 salt 来加密用户的密码。 我正在使用 PHP,这里是用户注册期间发生的情况的快速示例。
这是:
PHP 代码:
// Gives me my random key. My salt generator.
$salt = uniqid(mt_rand());
// My password via what users inputs.
$userpwd;
// Then the encryption. I use a HMAC hash.
$encrypted = hmac_hash("sha256", $userpwd, $salt);
?>
现在我的脚本中的一切都对我有用了。但我的问题是,如何对登录的用户进行身份验证?新的加密密码是随机的,因此我无法将登录表单中的密码与数据库中保存的加密密码进行比较。
我已经搜索过,但找不到解决方案。也许是我搜索得不够仔细,但是有没有办法解密密码呢?我可以做什么来使用我的脚本对用户进行身份验证?
I'm using salt to encrypt my users' passwords.
I'm using PHP, and here's a quick sample of what happens during a users registers.
Here it is:
PHP code:
// Gives me my random key. My salt generator.
$salt = uniqid(mt_rand());
// My password via what users inputs.
$userpwd;
// Then the encryption. I use a HMAC hash.
$encrypted = hmac_hash("sha256", $userpwd, $salt);
?>
Now that all works for me in my script. But my question is, how do I authenticate a user logging in? The new encrypted password is random, so I can't compare the password from the login form to the saved encrypted password in the database.
I've searched and can't find a solution. Maybe I haven't searched hard enough, but is there a way to decrypt the password? What can I do to authenticate the user with my script?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
您需要为每个用户的密码生成一个唯一的盐,然后将盐值存储在您可以检索的地方。例如,将 salt 与用户名和哈希密码一起保存到
user表中。这样,当您对用户进行身份验证时,您可以提取已知的盐并通过您的函数运行它。以下文章包含更多信息:存储密码 - 正确完成!
以及更多信息有关盐的信息: salt- Generation-and-open-source-software< /a>
You need to generate a unique salt for each user's password, and then store the value of the salt somewhere you can retrieve it. For example, by saving the salt to a
usertable along with the username and hashed password. That way you can extract the known salt and run it through your function when you go to authenticate a user.Here is an article that contains more information: Storing Passwords - done right!
And for more information about salts: salt-generation-and-open-source-software
您以相同的方式对用户输入的密码进行哈希处理,然后比较哈希值是否与您存储的相同。
您还必须存储盐,因为每个用户的盐都不同。我还建议使用在整个应用程序中保持不变的第二种盐(存储在硬配置文件中,这样即使数据库受到损害,密码仍然安全)。
注意:散列与加密不同;这是一个不可逆转的过程。
You hash the user's inputted password the same way, then compare if the hash is the same as the one you stored.
You also have to store the salt since it's different for each user. I would also recommend using a second salt that is constant across the application (stored on a hard config file, so that even if the database is compromised, the passwords are still safe).
Note: Hashing is not the same as encryption; It is an irreversible process.
您对用于登录的密码进行加密,并将其与数据库中的加密密码进行比较。 :)
You encrypt the password used to log in and compare it with the encrypted password in your database. :)
您可以计算用户输入的密码的哈希值,就像注册密码时一样。请注意,该代码是半伪代码,您需要将其适应您的库或函数。
如果盐存储在数据库中,那么您必须先获取它,或者在数据库中进行比较。
You compute the hash of the password user has entered, just as you do when registering them. Note that the code is semi-pseudo code, you need to adapt it to your libraries or functions.
If the salt is stored in the db, then you have to either fetch it first, or do the comparison in the db.
您不会解密您存储的内容。您对输入的密码进行哈希处理,并将其与注册时存储的密码进行比较。这是因为如果两个哈希值匹配(无论出于何种意图和目的),您就可以确信源数据匹配。
You don't decrypt what you've stored. You hash the entered password and compare it with what was stored at registration. This is because if two hashes match then (to all intents and purposes) you can be confident that the source data matches.
你的盐需要是恒定的,而不是随机的。这样,当您根据哈希值检查密码时,您所要做的就是再次使用盐对输入进行哈希值,并且生成的哈希值应该与之前的结果相同。
Your salt needs to be constant, and not random. That way when you are checking the password against the hash, all you have to do is hash the input with the salt again, and the resulting hash should be the same as what came out before.