使用 php password_hash 函数更新 md5 密码 [英] Updating md5 passwords with the php password_hash function

问题描述

我有一个帐户的数据库仍然使用旧且不安全的 MD5 算法，因此我想使用 php 中的 password_hash 函数更新密码.

I have a database with accounts that still use the MD5 algorithm which is old and unsafe, so I wanted to update the passwords with the password_hash function in php.

我使用 md5 密码为用户登录，因此可以通过更新字段提示他们更新密码.一切正常，我在数据库中看到了新的哈希字符串.但是当我想使用他们的新密码登录时，这是不可能的.

I made a login for users with a md5 password so they can be prompted with an update field to update their password. It all works and I see the new hash string in the database. But when I want to login using their new password it's just not possible.

我使用 PDO 更新查询来更新密码，有没有人有解决方案或知道这是否可行?

I use a PDO update query to update the passwords, does anyone have a solution or know if this is even possible?

提前致谢，布拉姆.

这是我用来验证密码的代码.

This is the code I use to verify the passwords.

if (password_verify($password, $rowofusers['passwordhere'])) {
       //code here
      }

推荐答案

如前所述，正确的方法可以对用户完全透明，并且不需要更新密码提示".

As mentioned, the correct way to do this can be completely transparent to the user and should not require an "update password prompt".

当用户尝试登录时，请按照以下步骤相应地修改您的登录过程.

When the user tries to log in take the following steps to modify your login process accordingly.

1. 检查数据库中的哈希是否以 $2y$ 开头，以确定密码是否应使用 md5 或 password_verify 进行检查.如果它确实以 $2y$ 开头，那么只需使用 password_verify 并忽略其余步骤(继续正常登录过程的其余部分).
2. 如果数据库中的密码哈希不是以 $2y$ 开头，那么首先，根据其 md5 哈希检查纯文本密码.
3. 如果纯文本密码的哈希值与数据库中的 md5 哈希值不匹配，请继续执行正常的失败身份验证过程，并忽略此处的其余步骤
4. 如果纯文本密码的哈希确实与数据库中的 md5 哈希匹配，则使用纯文本密码并通过 password_hash 并使用 password_hash 中新生成的 BCRYPT 哈希更新您的数据库.

1. Check if the hash in the db starts with $2y$ to determine if the password should be check with md5 or password_verify. If it does start with $2y$ then just use password_verify and ignore the remaining steps (continuing on with the rest of your normal login process).
2. If the password hash in the database does not start with $2y$ then first, check the plain-text password against its md5 hash.
3. If the plain-text password's hash doesn't matches the md5 hash in your database continue with normal failed authentication process and ignore the remaining steps here
4. If the plain-text password's hash does match the md5 hash in your database then take the plain-text password and run it through password_hash and update your database with the newly generated BCRYPT hash from password_hash.

您必须在登录过程中保留此代码，直到数据库中的所有密码都已更新并且没有剩余的 md5 哈希值.用户永远不会知道他们的密码哈希已更新，也永远不会被提示输入密码两次，因为这完全没有必要.

You would have to keep this code in your login process until all passwords in your database have been updated and no remaining md5 hashes are left. The user will never know that their password hash is updated and never be prompted to enter their password twice as it's completely unnecessary.

这篇关于使用 php password_hash 函数更新 md5 密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！