Drupal 7 密码哈希 [英] Drupal 7 password hash

问题描述

我在这里有点进退两难.我有一个用户的 drupal 7 数据库表，带有相应的密码.所有这些密码都经过自然加密.我的假设是这些是 MD5 哈希值，但不完全是.

I have a bit of a dilemma here. I have a drupal 7 database table of users, with corresponding passwords. All these passwords have been naturally encrypted. My assumption is that these are MD5 hashes, but not quite.

这里的挑战是，我们在使用类似凭据但使用不同技术的同伴网站中使用同一组用户[请不要为此责怪我，我只是一个棋子].

The challenge here is that, we are utilizing the same set of users in a companion website that uses similar credentials but a different technology [please don't blame me for this, I a mere pawn].

现在，如果我知道 Drupal 如何加密其密码，也许我可以解密它们并将其应用到我的后端逻辑中?

Now if I knew how Drupal goes about encrypting its passwords, maybe I could decrypt them and apply the same in my backend logic?

推荐答案

请注意，这些密码是散列，未加密.散列和加密之间的根本区别在于，通过加密，您将能够恢复原始密码.当它们被散列时，你将无法做到这一点(并非没有很多努力)，这是设计使然.

Note that these passwords are hashed, not encrypted. The fundamental difference between hashing and encryption is that with encryption you would be able to recover the original password. You won't be able to do that when they are hashed (not without a lot of effort), and that's by design.

想想土豆饼:如果你做了土豆饼，你就不能拿回原来的土豆了.这样做是为了如果黑客破坏您的系统并获得对数据库的访问权限，他们将无法查看或恢复原始密码.

Think of hash browns: if you've made a hash brown, you won't be able to get the original potatoes back. This is done so that if a hacker compromises your system and gains access to the database, they won't be able to see or recover the original passwords.

那么如何检查用户是否输入了正确的密码?那么，当用户尝试登录并输入密码时，您对用户输入应用相同的函数，并查看输出是否与数据库中存储的内容相同.由于散列函数是确定性，因此您将始终使用相同的输入获得相同的输出.

So how does one check if the user entered the correct password? Well, when the user tries to log in and enters a password, you apply the same functions to the user input and see if the output is the same thing as what's stored in the database. Since hashing functions are deterministic, you'll always get the same output with the same input.

让多个应用程序使用相同哈希值的关键是让它们在尝试验证用户身份时对密码使用相同的函数.Drupal 可能还使用一个或多个 salts - 但这并不重要.只要您的应用程序使用相同的逻辑，哈希值将始终完全兼容.

The key to getting multiple applications to work with the same hashes is have them use the same functions on the passwords when attempting to authenticate a user. Drupal probably also uses one or more salts - but that's not important. As long as the same logic is used by your applications, the hashes will be always fully compatible.

假设 Drupal 使用这样的东西作为它的认证系统(非常简化的伪代码):

Suppose Drupal uses something like this as its authentication system (very simplified pseudo-ish code):

/*
    input: user-entered $username and $password
    output: true if authorized, false otherwise
*/
function auth($username, $password) 
{
    $salt = 'some random salt';

    // input is sanitized somewhere, somehow
    $hash_from_db = db_result('SELECT hash FROM users WHERE username = "$username"');
    $hashed_input = sha1($password . $salt);

    if ($hash_from_db != $hashed_input)
        return false;
    else
        return true; 
}

如果您的其他应用程序使用完全相同的方式对其用户进行身份验证，则它可以正常工作.请注意，Drupal 的身份验证方案可能会复杂得多，但不要让这困扰您.它只是做与 Drupal 相同的事情.

If your other application uses the exact same thing to authenticate its users, it will work fine. Note that Drupal's authentication scheme will probably be a lot more complex, but don't let that faze you. It's just about doing the same thing Drupal does.

对于 Drupal，您可以从这里开始:user_hash_password().

For Drupal, here's where you can start: user_hash_password().

这篇关于Drupal 7 密码哈希的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！