[英]Precision loss in PHP's Crypt()? Same salt, different passwords = same encrypted result
I am using Crypt() in PHP to encrypt passwords. 我在PHP中使用Crypt()来加密密码。 Let's say salt is "bg", 假设盐是“ bg”,
Password is: "gg456456gg" 密码是:“ gg456456gg”
Encrypted result gives: "bgvQk9C2Pv27o" 加密结果为:“ bgvQk9C2Pv27o”
But if I use password: "gg456456" - without two last characters, it gives same result. 但是,如果我使用密码:“ gg456456”-不带最后两个字符,则会得到相同的结果。
Because of this, users are able to login without typing 100% exact password. 因此,用户无需输入100%准确密码即可登录。
What's happening? 发生了什么? I mean gg456456 and gg456456gg are two different passwords, why is encrypted result same? 我的意思是gg456456和gg456456gg是两个不同的密码,为什么加密结果相同?
Php.net on function crypt() php.net函数crypt()
The standard DES-based crypt() returns the salt as the first two characters of the output. 基于DES的标准crypt()返回salt作为输出的前两个字符。 It also only uses the first eight characters of str, so longer strings that start with the same eight characters will generate the same result (when the same salt is used). 它还仅使用str的前八个字符,因此以相同的八个字符开头的较长字符串将产生相同的结果(使用相同的salt时)。
So use a different encryption method. 因此,请使用其他加密方法。 Such as blowfish or sha-512. 例如河豚或sha-512。 These will accept much longer strings 这些将接受更长的字符串
Eg SHA-512: 例如SHA-512:
$encpassword = crypt($password,"$6$".$salt);
Used the method above (and same salt): 使用上面的方法(和相同的盐):
gg456456 -> $6$631080661$L2o7HNKfYrqB4H19vYe7fRWWLenQj2EcWqriNG9rX6ki1QKO2YytkylrYmZ8mhIr6XE19Ms4RW2of5Z/dsYRA/ gg456456-> $ 6 $ 631080661 $ L2o7HNKfYrqB4H19vYe7fRWWLenQj2EcWqriNG9rX6ki1QKO2YytkylrYmZ8mhIr6XE19Ms4RW2of5Z / dsYRA /
gg456456gg -> $6$631080661$maGxQ2d7ZIPIdXDFN1sJJsIjTFEwD9dL/uljSXdKXeJU4E5miCzh1ZCao57sGDm9PrDhdPYPLGUvoy0HzTfqI. gg456456gg-> $ 6 $ 631080661 $ maGxQ2d7ZIPIdXDFN1sJJsIjTFEwD9dL / uljSXdKXeJU4E5miCzh1ZCao57sGDm9PrDhdPYPLGUvoy0HzTfqI。
Use a good random-number generator for your salt and voila you have a well encrypted password 为您的盐和瞧使用一个好的随机数生成器,您有一个很好的加密密码
The original crypt function on Unix systems only uses the first 8 characters of the password. Unix系统上的原始crypt函数仅使用密码的前8个字符。 Eventually we decided that was insecure and have switched to more secure password hashes. 最终,我们认为这是不安全的,因此改用了更安全的密码哈希。
The PHP crypt function selects the algorithm to use based on the salt you supply, and a two character alphanumeric salt like you used triggers that original crypt algorithm. PHP crypt函数会根据您提供的盐来选择要使用的算法,并且像您使用的那样由两个字符组成的字母数字盐会触发该原始crypt算法。
See http://php.net/manual/en/function.crypt.php for the list of algorithms and respective salts. 有关算法和相应盐的列表,请参见http://php.net/manual/zh/function.crypt.php 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.