无需要求所有用户更改密码即可重新哈希密码 [英] Rehashing passwords without asking all users to change them

问题描述

一位前开发人员将PHP hash() 函数与SHA256算法一起使用存储密码哈希.为了提高系统的安全性，我想将crypt()与Blowfish算法一起使用(不幸的是，我们没有PHP 5.5，因此password_hash()不可用).

A former developer used the PHP hash() function with the SHA256 algorithm to store password hashes. To improve the security of the system, I'd like to start using crypt() with the Blowfish algorithm (unfortunately we don't have PHP 5.5 and thus password_hash() is not available).

由于SHA256是不可逆的哈希算法，是否有一种方法可以在不要求所有人重设密码的情况下开始使用带盐腌密码的crypt()?

Since SHA256 is a non-reversible hashing algorithm, is there a way to start using crypt() with the salted passwords without asking everyone to reset their password?

推荐答案

您应该使用兼容性库然后.当您移至5.5时，它将使您更轻松.

You should use the compatibility library then. It will make it easier for you when you move to 5.5.

无需要求用户输入密码即可重新哈希...好吧，您可以等到下一次用户登录后，再使用password扩展程序的password_verify()功能.如果失败，则可以使用旧的SHA256哈希.如果SHA256哈希匹配，则可以使用password_hash()重新哈希密码并将其保存在旧哈希的位置:

Re-hashing without asking the user for the password... well, you can wait until the next time users log in, and then use the password extension's password_verify() function. If it fails then you can fall back on the old SHA256 hash. If the SHA256 hash matches then you can rehash the password using password_hash() and save it in the old hash's place:

if (password_verify($password, $hash)) {
    // Matches...
} elseif (hash('sha256', $password) == $hash) {
    // Matches...
    $newHash = password_hash($password);
    // Save $newHash in the old hash's place
} else {
    die('Invalid password...');
}

从技术上讲，可以破解很多散列，但存在太多问题(您可能无法完全获得所有散列，这很可能不可行，甚至可能无法实现)是合法的，等等.

It is technically possible to crack a lot of the hashes, but there are too many problems with that (you would not get all of them, it is most likely not feasible, it may not even be legal, etc.).

这篇关于无需要求所有用户更改密码即可重新哈希密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！