Phpass - 无法访问所有密码的危险?
抱歉,这可能很愚蠢,但我对 Phpass 有一些不明白的地方。如果我可以创建一个像这样的安全散列密码:
$pwdHasher = new PasswordHash(8, FALSE);
$hash = $pwdHasher->HashPassword( $password );
然后像这样检查它:
$checked = $pwdHasher->CheckPassword($password, $hash);
那么这意味着逻辑上密码必须以只能在特定机器上读取的方式存储(否则有人可以只使用“ CheckPassword”函数在另一台机器上获取密码)。 Phpass 是如何做到这一点的?
如果我将来需要将网站移动到新服务器,这不会造成问题吗?如何安全地备份我的数据库,以便在服务器发生重大故障时可以恢复所有密码? (我是否遗漏了一些明显的东西?)
编辑-响应下面的评论,如果不同的机器不影响它,那么如果黑客可以访问我的数据库,为什么他们不能在自己的机器上执行 CheckPassword 来获取原始数据密码?抱歉,我一定错过了一些明显的东西。
编辑 2 - 该死的,我错过了一些明显的东西。比较函数仅根据散列密码检查给定密码并返回 true 或 false - 您实际上不必访问密码本身。为自己的愚蠢道歉!
Sorry, this may be dumb, but there is something I don't understand about Phpass. If I can create a secure hashed password like this:
$pwdHasher = new PasswordHash(8, FALSE);
$hash = $pwdHasher->HashPassword( $password );
and later check it like this:
$checked = $pwdHasher->CheckPassword($password, $hash);
then that means that logically the passwords must be stored in such a way as they can only be read on a specific machine (otherwise someone could just use the "CheckPassword" function on another machine to get the password). How does Phpass do this?
If I need to move a website to a new server in the future, doesn't this cause a problem? How do I safely backup my database such that in case of a major server failure, I can recover all the passwords? (Am I missing something obvious?)
Edit - in response to the comments below, if different machines do not affect it then if a hacker gets access to my database, why can't they just execute CheckPassword on their own machine to get the original password? Sorry, I must be missing something obvious.
Edit 2 - Damn, I was missing something obvious. The compare function only checks the given password against the hashed one and returns true or false - you never actually have to have access to the password itself. Apologies for being dumb!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
bcrypt 创建的哈希使用模块化 crypt 格式,该格式不仅包含哈希值,还包含所使用的哈希函数、轮数以及用于创建哈希值的盐的指示符。在您的情况下,返回的字符串如下所示:
这意味着验证密码所需的所有内容都存储在该字符串中。
攻击者之所以不能仅使用此字符串并获取原始密码,是因为好的 的一个重要属性加密哈希函数:“生成具有给定哈希值的消息是不可行的。”
The hashes created by bcrypt use the modular crypt format that does not just contain the hash value but also an indicator of the used hash function, the number of rounds, and the salt that has been used to create the hash value. In your case the returned strings look like this:
That means everything you need to verify a password is stored in this string.
The reason why attackers can’t just use this string and get the original password is because of one significant property of a good cryptographic hash functions: “it is infeasible to generate a message that has a given hash.”
CheckPassword()不会返回原始密码。 CheckPassword 只是检查传入的密码是否与传入的哈希值进行哈希运算。如果存在,则返回true,如果不存在,则返回false。您可能想阅读 phpass 文章“如何管理 PHP 应用程序的用户和密码” ”。这非常详细地描述了密码散列的一般工作原理,特别是在 phpass 中。CheckPassword()does not return the original password. CheckPassword just checks to see if the passed-in password hashes to the passed-in hash. If it does, it returnstrue, if it doesn't, it returnsfalse. You may want to have a read of the phpass article "How to manage a PHP application's users and passwords". That gives a very detailed description of how password hashing works in general, and in phpass in particular.