对 imap_open PHP 函数使用哈希密码
有没有办法通过 imap_open() 函数使用哈希密码?我必须以某种方式隐藏该密码,甚至对我自己也是如此。但找不到办法做到这一点。实际的 PHP 脚本在 Linux 服务器上运行。那里有一些人有 sudo 权限。因此,他们无论如何都可能会看到该密码。
提前致谢
Is there a way to use a hashed password with imap_open() function? I have to hide somehow that password even from myself. But cannot find a way to do that. The actual PHP script works on the Linux server. A few people have sudo rights there. So, they may see that password anyway.
Thanks in advance
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这样的功能将破坏密码哈希的真正目的:
标准密码方案适用于需要身份验证来存储密码哈希的资源,并且您向其提交纯密码。如果您的密码的哈希值与存储的哈希值匹配,则身份验证成功。这样做的目的是资源永远不需要知道您的密码,任何闯入的人也无法发现您使用的密码。
现在,您要求允许用户对自己的密码进行哈希处理并提交哈希值,然后资源将提交的哈希值与存储的哈希值进行比较。但这会有效地将哈希本身变成逐字存储的纯密码!任何有权访问存储的哈希值的人现在都可以立即访问该资源,从而完全偏离了仅存储密码哈希值的目的!
Such a feature would defeat the very purpose of password hashing:
The standard password scheme is for the resource that requires authentication to store a hash of your password, and that you submit to it your plain password. If the hash of your password matches the stored hash, the authentication succeeds. The purpose of this is that the resource never needs to know your password, nor can anyone who breaks in discover which password you used.
Now you're asking that the user be allowed to hash her own password and submit the hash, and that the resource then just compare the submitted hash with the stored hash. But this would effectively turn the hash itself into a plain password which is stored verbatim! Anyone who gets access to the stored hashes would now have immediate access to the resource, thus utterly derailing the very purpose of only storing a hash of the password!