重新哈希用户数据库
[英]Re-Hash user database
问题描述
I was wondering if there was a method to change the way my site hashed passwords. 
我想知道是否有一种方法可以更改我的网站哈希密码的方式。 My coder friend wasn't the smartest when he didn't add salts to the sha512 hash. 我的编码员朋友没有在sha512哈希中添加盐时并不是最聪明的人。 So now it is very insecure and I wish to change that. 所以现在这是非常不安全的,我希望改变这一点。 I was thinking about making some complicated code to rehash when someone who has the old hash type logs in and it would set the variable to true after adding a salt. 我正在考虑制作一些复杂的代码以在具有旧哈希类型的用户登录时重新哈希,并且在添加盐后将变量设置为true。 Or I could take the currently hashed passwords and somehow fuse a salt into them. 或者,我可以采用当前散列的密码,然后以某种方式将盐加入其中。 I would rather not reset my user database if I don't have to. 如果不需要,我宁愿不重置我的用户数据库。 Any idea would help. 任何想法都会有所帮助。 I am also quite the php noob so please explain if you include code. 我也是相当不错的php noob,所以请解释一下您是否包含代码。
It is Hashed using this method. 使用此方法进行哈希处理。
<?php hash('sha512',"passwordhere") ?>
3 个解决方案
解决方案1
2 已采纳 2013-09-10 23:22:44
- Alter your user table to include a 'salt' column, default value of 'NULL'. 更改用户表以包括“盐”列,默认值为“ NULL”。
- Alter your login code to check if the user has a salt: 更改您的登录代码以检查用户是否有盐:
- If yes, compare the salted hashes and log in 如果是,比较盐腌的哈希并登录
- If no: 如果不:
- Compare the unsalted hashes. 比较未加盐的哈希。
- Generate a random salt. 产生随机盐。
- Generate your salty hash. 生成您的咸哈希。
- Store your new salt and hash in the database. 将新的盐和哈希存储在数据库中。
- Continue the login process. 继续登录过程。
- Compare the unsalted hashes.
- If yes, compare the salted hashes and log in
Of course, you will also need to update your code for registration, password change/recovery, etc. 当然,您还需要更新代码以进行注册,密码更改/恢复等。
Alternatively, instead of a 'salt' column you could put in a 'hash_ver' column and use that to determine which validation method to use and when to update the hash. 另外,也可以在“ hash_ver”列中放置“ hash_ver”列,而不是“ salt”列,以确定使用哪种验证方法以及何时更新哈希。 That way if you wish to use a hashing method that packs the salt in with the hash like bcrypt you don't get stuck trying to figure out what type of hash you're dealing with. 这样一来,如果您希望使用像bcrypt这样的散列方法将盐加入进去,您就不会陷入试图找出要处理的散列类型的麻烦。
解决方案2
1 2013-09-13 15:35:13
Every password-storing-system must have the option to switch to a better hash algorithm, your problem is not a one-time migration problem. 每个密码存储系统都必须选择切换到更好的哈希算法,您的问题不是一次性迁移问题。 In the answer to this question i tried to point out the necessary steps. 在回答这个问题时,我试图指出必要的步骤。
Note: Fast hash algorithms like SHA-* are not appropriate to hash passwords, instead switch directly to a slow key-derivation function like BCrypt. 注意:SHA- *之类的快速哈希算法不适用于哈希密码,而是直接切换至BCrypt之类的慢键派生功能。 The new PHP function password_hash() will make hashing easy (it will generate a safe salt for you), and is "future proof", also it will make switching in future possible. 新的PHP函数password_hash()将使哈希变得容易(它将为您生成安全的盐),并且具有“未来证明”,也将使将来的切换成为可能。
解决方案3
0 2013-09-10 23:24:02
$old_hash = hash('sha512',"passwordhere");
$salt = ''; // Generate salt here
$new_hash = hash('sha512', $old_hash.$salt) ;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.