如何重新散列存储到我的数据库中的密码? (PHP)
我的数据库中有一些加密的密码,我想找到一种方法来显示它们。以下是它们如何保存到我的 mysql 数据库中:
function generateHash($plainText, $salt = null){
if ($salt === null)
{
$salt = substr(md5(uniqid(rand(), true)), 0, 25);
}
else
{
$salt = substr($salt, 0, 25);
}
return $salt . sha1($salt . $plainText);
}
$secure_pass = generateHash($this->clean_password);
然后 $secure_pass 被保存到我的数据库中。
任何人都会有想法吗?
非常感谢 ;)
I have some passwords encrypted in my database and I would like to find a way to display them. Here is how they are saved into my mysql database:
function generateHash($plainText, $salt = null){
if ($salt === null)
{
$salt = substr(md5(uniqid(rand(), true)), 0, 25);
}
else
{
$salt = substr($salt, 0, 25);
}
return $salt . sha1($salt . $plainText);
}
$secure_pass = generateHash($this->clean_password);
Then $secure_pass is saved into my database.
Anyone would have an idea ??
Thank you very much ;)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
您绝不能显示密码。
您绝不能显示密码。
您绝不能显示密码。
对密码进行哈希处理的目的就是让这种情况变得不可能。
由于您使用的是有点不安全的哈希,因此不太可能,但您仍然无法做到。
您应该使用 SHA512 而不是 SHA1 来使这种情况更加不可能。
You must never display a password.
You must never display a password.
You must never display a password.
The entire point of hashing a password is to make this impossible.
Since you're using a somewhat insecure hash, it's a little bit less impossible, but you still can't do it.
You should be use SHA512 instead of SHA1 to make this more impossible.
加密哈希的要点在于它几乎不可能逆转该操作。所以基本上这里的答案是否定的,你不能。
The point of a cryptographical hash is that it's neigh-impossible to reverse the operation. So basically the answer here is no, you cannot.
有无数个值会产生任何单个哈希值,因此无法准确地重现所给出的原始密码。
但是,您可以通过以下方法之一显示工作密码:
警告:显然,如果安全的话对您来说很重要,您不应该做以上任何事情。如果您想允许忘记密码的用户,我建议您阅读有关密码重置的内容。
there are an infinite number of values that will produce any single hash, as such there is no way to reproduce with certainty the original password that was given.
you can however display working passwords by one of the following methods:
Cavet: Obviously, if security is important to you, you should do none of the above. if you want to allow users who forgot their password I suggest you read about password resetting.
您已通过 SHA1 运行它们 - 原始密码已被破坏且无法通过任何实际方法恢复。您可以尝试找到另一个产生相同 SHA1 的字符串,但这会付出更多的努力而不值得。
You've run them through SHA1 - the original passwords are destroyed and unrecoverable by any practical means. You COULD try to find another string that produces the same SHA1, but that'd be more effort than it's worth.
您无法反转哈希函数,所以...您有两个选择:
1 强制用户插入新密码或...
2 当用户再次登录您的系统时更新哈希(您可以强制踢掉允许用户登录而无需重新输入密码的 cookie 和会话)。此解决方案将允许您的用户使用旧哈希登录,同时您将旧哈希更新为新哈希。下次您的用户登录时,脚本将使用新版本的哈希来登录用户。
在此示例中,我使用 md5 作为哈希值,我想以成本 = 12 更新为 BCRYPT,但可以随意将其更改为您需要的值。从 BCRYPT 成本 = 10 更改为 BCRYPT 成本 = 12 也可以工作或任何其他组合。考虑这个例子:
我更喜欢第二个选项:)。做出你自己的选择。如果您选择第二个选项并选择不踢掉允许用户在不提供密码的情况下登录的 cookie 和会话,也可以...更改将超时发生。甚至没有人会注意到这一变化。
You can't reverse a hash function sooo... you left with two options:
1 Force on user to insert new password or...
2 Update the hash as users login to your system again (You can force to kick the cookie and sessions that allow user to login without retyping their password). This solution will allow your users to log in with the old hash and at the same time you will update the old hash to new one. Next time your user will log in, the script will use new version of hash to login the user.
In this example I have used md5 as a hash I want to update to BCRYPT with cost = 12 but feel free to change it to what ever you need. Change from BCRYPT cost=10 to BCRYPT cost = 12 would also work or any other combination. Consider this example:
I prefer the second option :). Make your own choice. If you pick the second option and choose not to kick the cookie and session that allow user to login without providing the password, its ok too... The change will happen overtime. And no one will even notice the change.