[英]Importing MD5+Salt Passwords to MD5
I'm moving my site from an oscommerce store to a commercial application. 我正在将网站从oscommerce商店迁移到商业应用程序。
The new application stores its passwords using straight MD5 encryption. 新应用程序使用直接MD5加密存储其密码。 Oscommerce stores the password using MD5, but also adds a random 2 digit number (provided in plaintext) to the hash.
Oscommerce使用MD5存储密码,但还会在哈希中添加一个随机的2位数字(以明文形式提供)。
Here is what someone posted on a forum: 这是某人在论坛上发布的内容:
The two characters added are for creating the hash in such way that
添加的两个字符用于以以下方式创建哈希:
hash=md5(twocharactersPlainPassword)hash = md5(twocharactersPlainPassword)
ie: 2letters: 74例如:2个字母:74
Plain Password: PaSs普通密码:PaSs
hash=md5('74PaSs')=acaa6e689ae0008285320e6617ca8e95:74hash = md5('74PaSs')= acaa6e689ae0008285320e6617ca8e95:74
Here is the code how Oscommerce encrypts the password: 这是Oscommerce加密密码的代码:
// This function makes a new password from a plaintext password.
function tep_encrypt_password($plain) {
$password = '';
for ($i=0; $i<10; $i++) {
$password .= tep_rand();
}
$salt = substr(md5($password), 0, 2);
$password = md5($salt . $plain) . ':' . $salt;
return $password;
}
// This funstion validates a plain text password with an encrypted password
function tep_validate_password($plain, $encrypted) {
if (tep_not_null($plain) && tep_not_null($encrypted)) {
// split apart the hash / salt
$stack = explode(':', $encrypted);
if (sizeof($stack) != 2) {
return false;
}
if (md5($stack[1] . $plain) == $stack[0]) {
return true;
}
}
return false;
}
Here is how my new cart encrypts the password: 这是我的新购物车加密密码的方式:
if ($admin_password_encrypt == 1) {
$password_match = md5($password);
} else {
$password_match = $password;
}
Is there any possible way of importing customer passwords from my oscommerce cart to my new cart. 有什么可能的方法可以将客户密码从我的oscommerce购物车导入到新购物车。
It appears that you have the source code for your new cart. 看来您具有新购物车的源代码。 Since "straight MD5" is a terribly awful way of storing passwords, perhaps you should simply change the to use the same password storage mechanism as OSCommerce.
由于“直接MD5”是一种非常糟糕的密码存储方式,因此您可能应该简单地将更改为使用与OSCommerce相同的密码存储机制。
The answer to your question is no, there is no way of converting the passwords. 您的问题的答案是否定的,没有办法转换密码。
Do not save plain MD5 hashes in your database. 不要在数据库中保存普通的MD5哈希。 Plain MD5 hashes can be reverse engineered quickly and easily using rainbow tables.
普通的MD5哈希可以使用Rainbow表快速,轻松地进行反向工程。 However, here's how you solve your problem, no matter how you choose to store the passwords in the future:
但是,无论以后如何选择存储密码,都可以通过以下方式解决问题:
Anyways, I want to reiterate that plain MD5 hashes are easy to crack for most passwords (since people like short and easy to remember passwords.) Use a salt and/or a more complex algorithm. 无论如何,我想重申,对于大多数密码而言,普通的MD5哈希值很容易破解(因为人们喜欢简短易记的密码。)请使用salt和/或更复杂的算法。 I'd recommend both, and use a salt that is longer than two characters and not limited to numbers.
我建议两者都使用,并且使用比两个字符长且不限于数字的盐。 This will make the passwords really secure.
这将使密码真正安全。
No. MD5 is a hash algorithm, which is a one-way function. 否。MD5是一种哈希算法,是一种单向函数。 You cannot reverse the hash on your oscommerce system to remove the salt and rehash.
您不能在oscommerce系统上反转哈希以除去盐并重新哈希。 Sorry.
抱歉。
If the passwords are encrypted with md5, you won't be able to decrypt them. 如果密码是使用md5加密的,则将无法对其进行解密。 Your best possibility can be to check in your login code whether the creation of an account/last password change occurred before a certain date.
最好的办法是在您的登录代码中检查是否在某个日期之前创建了帐户/最后一次密码更改。 If so, use OSCommerce's password validation function, if not, use your own.
如果是这样,请使用OSCommerce的密码验证功能,否则请使用您自己的密码验证功能。
This way, for all new accounts the passwords will be encrypted with the new method, and for old accounts you'd continue to handle them as usual, so it'll be transparent to users. 这样,对于所有新帐户,密码将使用新方法进行加密,对于旧帐户,您将继续照常处理它们,因此对用户透明。
Another, and possibly better option is that you continue to use the salting method of OsCommerce. 另一个可能更好的选择是您继续使用OsCommerce的加盐方法。 It is more secure, and you'll also get to keep your existing passwords.
这样更安全,而且您还可以保留现有密码。
There is no method for automatic conversion between hash algorithms. 哈希算法之间没有自动转换的方法。 Unfortunately you would likely be stuck picking from one of the following bad options:
不幸的是,您可能会被困于以下不良选择之一:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.