哈希密码和加盐密码并不总是相同
我在 Spring 应用程序中使用 Apache Shiro 作为安全层,但我遇到了一个非常奇怪的情况。
首先,这就是我的安全系统的设置方式。当用户注册时,他们的密码将使用安全生成的随机盐进行哈希处理。然后,盐和散列密码存储在我的数据库中。当他们注册和登录时,一切都 100% 正常,但几天过去了,他们的哈希密码突然不再匹配。这是我的代码:
import org.apache.shiro.codec.Base64;
import org.apache.shiro.crypto.hash.Sha256Hash;
public static void main(String[] args) {
String plainPassword = "testing";
String salt = "8AFTpriREtydSg39+37rQHNRyvZLuXqyXYgWXI55f1PbhbUQSeFGCLKsHpA6thZKs3uQeNNJHksqcV5oaNcr9lQiXMMyC8Duqr2aQaqyjLKpNMVlB69jJ7emNq0K6ccfBdv/O4JGT2U689LeNg6CqN+9kqW2GBgT2CIVOlapA34=";
System.out.println(new Sha256Hash(plainPassword.toCharArray(), Base64.decode(salt), 1024).toBase64());
}
生成的散列密码是:
b8VLt/eKV8F5kwDjRgdkM+PAvQC8sk7Ooflt91juaXA=
但是我数据库中的密码(该密码正在工作并且是在几天前使用完全相同的盐生成的)是:
xZNBNlUa8vRQq0qY5bbkETzZtzztGRTH2KZKijQdilU=
因此,正如您可以想象的那样,我完全被难住了。有谁知道我是否做错了什么?或者如果我留下了一步。
更新 1:在我的系统中注册新用户后,系统中的所有其他用户似乎都因某种原因更改了密码。所以这与密码哈希的生成方式无关,更多地与我的数据库访问层有关。
I am using Apache Shiro as my security layer in my Spring app and I am encountering a really weird situation.
Firstly, this is how my security system is set up. When a user registers their password is hashed with a securely generated random salt. The salt and hashed password are then stored in my DB. Everything works 100% when they register and login works great too, but then a couple of days go by and suddenly their hashed passwords aren't matching any longer. Here is my code:
import org.apache.shiro.codec.Base64;
import org.apache.shiro.crypto.hash.Sha256Hash;
public static void main(String[] args) {
String plainPassword = "testing";
String salt = "8AFTpriREtydSg39+37rQHNRyvZLuXqyXYgWXI55f1PbhbUQSeFGCLKsHpA6thZKs3uQeNNJHksqcV5oaNcr9lQiXMMyC8Duqr2aQaqyjLKpNMVlB69jJ7emNq0K6ccfBdv/O4JGT2U689LeNg6CqN+9kqW2GBgT2CIVOlapA34=";
System.out.println(new Sha256Hash(plainPassword.toCharArray(), Base64.decode(salt), 1024).toBase64());
}
The resulting hashed password is:
b8VLt/eKV8F5kwDjRgdkM+PAvQC8sk7Ooflt91juaXA=
But the password I have in my database, which was working and was generated with the exact same salt a couple of days ago was:
xZNBNlUa8vRQq0qY5bbkETzZtzztGRTH2KZKijQdilU=
So as you can imagine, I am completely stumped. Does anyone know if I am doing something wrong? Or if I have left a step out.
Update 1: After registering a new user in my system, it looks like all the other users in the system have their passwords changed for some reason. So this has nothing to do with the way the password hash is generated and more to do with my database access layer.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
看来您的问题与哈希和咸水无关。您正在发送不正确的查询以更新不需要的记录。
但是我会为盐提供建议 - 为每个用户使用不同的盐。否则,您的密码不那么安全。想象一下,如果某人获得盐和您的数据库,会发生什么。一段时间后(可能是几周,但这并不多)他将能够生成彩虹桌并拥有大多数密码。虽然您使用其他盐,但他将必须生成与用户数量一样多的彩虹桌。
It seems your problem is unrelated to hashing and salting. You are sending improper queries that update unwanted records.
But I'll throw in an advice about salting - use a different salt for every user. Otherwise your passwords are not as secure. Imagine what happens if someone obtains the salt and your database. In a while (could be weeks, but it's not that much) he will be able to generate a rainbow table and have most of your passwords. While if you use a different salt, he will have to generate as many rainbow tables as the number of your users.
事实证明,我在其他地方有一些狡猾的代码正在更新我的用户对象并用新密码覆盖他们的密码。所以密码哈希算法毕竟工作正常。
It turns out I had some dodgy code somewhere else that was updating my user object and overwriting their password with a new password. So the password hashing algorithms were working correctly after all.