phpass CheckPassword使用不同的盐? [英] phpass CheckPassword using different salts?

问题描述

我有一个带有用户区和管理区的站点.在管理区域中，我有一个用于创建用户的页面和一个用于创建管理员的页面.在用户和管理员页面上，我使用下面的代码对密码进行哈希处理:

I have a site with a user area and admin area. In the admin area, I have a page for creating users and a page for creating admins. On the users and admins pages, I used the code below to hash passwords:

$hasher = new PasswordHash(8, false);
$password = $HTTP_POST_VARS['password'];
$hash = $hasher->HashPassword($password);
$HTTP_POST_VARS['password'] = $hash;

对于用户页面，用于检查密码的代码为:

For the user page, the code to check the password is:

$hasher = new PasswordHash(8, false);
$check = $hasher->CheckPassword($password, $arrData[$conf['PASSWORD']['FIELD']]);
if ($check) {
    //login...
}

这很好用.我的用户密码已散列，并且可以正确检查密码.我在管理员登录页面上使用了相同的代码，但是，它无法正常工作.它从数据库中提取正确的信息，但是当使用CheckPassword时，密码不匹配.我认为这可能与加盐有关，因为密码的开始部分似乎是相同的.

This works fine perfectly. My user passwords are hashed and it correctly checks the passwords. I use identical code on the admin login page, however, it is not working. It pulls the correct information from the database, but when CheckPassword is used, the passwords do not match. I think it might have something to do with salting because the beginning part of the passwords seem to be the same.

顺便说一句，我正在使用PHP 4.3.

By the way, I am using PHP 4.3.

推荐答案

我认为这可能与盐析有关，因为密码的开始部分似乎是相同的.

I think it might have something to do with salting because the beginning part of the passwords seem to be the same.

我不知道您为什么会这样认为，但是密码的开头部分-哈希(！)应该相同. bcrypt创建的哈希使用模块化的crypt格式，该格式不仅包含哈希值，而且还指示已使用的哈希函数，轮数和用于创建哈希值的盐.那是相同的部分.还要查看一个相关的问题，我从以下位置复制了此信息:

I don't know why you might think that, however the beginning parts of the password-hashes (!) should be the same. The hashes created by bcrypt use the modular crypt format that does not just contain the hash value but also an indicator of the used hash function, the number of rounds, and the salt that has been used to create the hash value. That is the part that is the same. See as well a related question I copied this information over from:

• Phpass-无法访问所有密码的危险吗?

这可能不会回答您的问题，但希望能为您澄清一些细节，以免您看错地方.

This might not answer your question but hopefully clarifies some details for you so that you do not look in the wrong places.

我已将数据库设置为现在允许50个字符.有谁知道最长的哈希phpass将生成?

I have the database set to allow for 50 characters now. Does anyone know the longest hash phpass will generate?

这取决于所使用的哈希函数.在文章 如何管理PHP应用程序的用户和密码 (由Phpass的作者撰写)，给出了以下示例Mysql数据库模式:

That depends on the used hash function. In the article How to manage a PHP application's users and passwords by the author of Phpass, the following example Mysql database schema is given:

create database myapp;
use myapp;
create table users (user varchar(60), pass varchar(60));

您在这里看到，这是一个VARCHAR(60).这意味着最多60个字符就足够了.

You see here, this is a VARCHAR(60). This implies that 60 characters max are enough.

从另一个角度来看，Wordpress也使用Phpass，并且具有以下密码列定义:

From another perspective, Wordpress uses Phpass as well and has the following password column definition:

user_pass VARCHAR(64)

这意味着64个字符对于他们来说已经足够了.但是请记住，Wordpress还支持其他哈希，因此这可能只是一个通用值，而不是Phpass特定的值.

That implies that 64 characters should be enough for them. However keep in mind that Wordpress also support other hashes, so this might be just a general value and not Phpass specific.

另请参见:

• 可移植的PHP密码哈希框架(我说这是必须阅读的最低要求，如果您想了解更多信息，请阅读)
• 便携式(PHPass)密码哈希.我应该使用它们吗?

• Portable PHP password hashing framework (I'd say this is the minimum must-read, read it if you want to learn more)
• Portable (PHPass) password hashes. Should I use them?

这篇关于phpass CheckPassword使用不同的盐?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！