使用 crypt 散列密码在登录时不起作用，它显示不正确的密码 [英] Hashing password using crypt does not work on the login it displays incorrect pass

问题描述

我有一个允许用户插入密码的注册页面，所以我需要对其进行哈希处理以在数据库中变得更安全，这很好

I have a register page that allow user to insert password so i need to hash it to become more secure in the database this work fine

但是在登录时输入的密码与注册的不匹配如何解决这个问题mm

but when it come to the login the entered password do not match the register one how to fix this problemmm

这是我第一次使用哈希，所以它没有按我的意愿工作

this is my first time to use hash so it did not work as i want

这是哈希的注册码:

   //ADD MD5 hash to the password 
function cryptPass($input, $rounds = 9)
{
    $salt = "";
    $saltChars = array_merge(range('A','Z'), range('a','z'), range('0','9'));
    for($i = 0; $i<22; $i++)
    {
        $salt  .=$saltChars[array_rand($saltChars)]; 
    }
    return crypt($input, sprintf('$2y$%02d$test$', $rounds) . $salt);
}
$hashedpass = cryptPass($pass1);      
echo $hashedpass;

哈希密码 = $2y$09$test$5I9x8HWhA4UHi5TMu.AxfdWvZadDCE.LD6HCkrK3ZsqJeN7e

the hashing password = $2y$09$test$5I9x8HWhA4UHi5TMu.AxfdWvZadDCE.LD6HCkrK3ZsqJeN7e

这是哈希的登录代码:

   function cryptPass($input, $rounds = 9)
{
    $salt = "";
    $saltChars = array_merge(range('A','Z'), range('a','z'), range('0','9'));
    for($i = 0; $i<22; $i++)
    {
        $salt  .=$saltChars[array_rand($saltChars)]; 
    }
    return crypt($input, sprintf('$2y$%02d$test$', $rounds) . $salt);
}
$hashedpass = cryptPass($pass);   
echo $hashedpass;

哈希密码 = $2y$09$test$4ZGgCiXdKzgQvuzwu.AxfdWvZadDCE.LD6HCkrK3ZsqJeN7e

the hashing password = $2y$09$test$4ZGgCiXdKzgQvuzwu.AxfdWvZadDCE.LD6HCkrK3ZsqJeN7e

推荐答案

注册后，您将创建一个独特的盐.该盐现在是哈希的一部分.如果您仔细观察，您会发现它嵌入在哈希的第一部分中.要检查密码，请使用之前散列密码的盐，因此您再次使用相同的盐.

Upon registration you create a unique salt. That salt is now part of the hash. If you look closely, you'll see it's embedded in the first part of the hash. To check the password, use the previous hashed password's salt, so you're using the same salt again.

$correctPasswordHash = getPasswordFromDatabase($_POST['username']);
$hash = crypt($_POST['password'], $correctPasswordHash);

if ($correctPasswordHash === $hash) ...

为了使这更容易和更简单，请使用 password_compat 库，它将这个包装在一个简单的使用 API，该 API 也将集成到 PHP 的未来版本中.检查它的源代码是否正确使用了 crypt，因为有一些你需要注意的陷阱.password_compat 库还使用自定义二进制比较而不是简单的 === 来阻止定时攻击.

To make this easier and more foolproof, use the password_compat library, which wraps this in an easy to use API, which will also be integrated into a future version of PHP. Inspect its source code for the correct usage of crypt, since there are some pitfalls you need to take care of. The password_compat library is also using a custom binary comparison instead of a simple === to thwart timing attacks.

这篇关于使用 crypt 散列密码在登录时不起作用，它显示不正确的密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！