在Cakephp 2.x的Auth组件中使用Md5作为密码哈希 [英] Using Md5 for password hash in Auth component of Cakephp 2.x

问题描述

我有一个现有的网站，使用CakePhp 1.3构建。在那个网站我使用MD5算法的密码哈希。

现在我想升级我的CakePhp版本到2.3.5，但我不能使用MD5密码哈希。

我想知道为什么我不能在CakePhp 2.x中使用MD5。 ？

解决方案

不要使用md5作为密码

md5不是适当的哈希密码算法，不要使用它。有许多参考资料可以解释为什么 - 包括 PHP手动：

为什么诸如md5（）和sha1（）之类的常见哈希函数不适合密码？

散列算法（如MD5，SHA1和SHA256）设计非常快速和高效。使用现代技术和计算机设备，为了确定原始输入，对这些算法的输出进行粗略强制变得微不足道。

现代计算机可以反转这些散列算法，许多安全专业人士强烈建议不要使用密码散列。

如何更改默认哈希算法

您可以使用 setHash ，a 为密码推荐哈希算法是blowfish：

  Security :: setHash （'blowfish'）; 
  

如何处理现有密码

你真的想，你可以改变 setHash 使用md5。

但这不是一个好主意。

不要危及新的/更新的应用程序的安全性，只是为了适应旧的安全性。您可以使用以下逻辑（伪伪码）代替使用与之前的应用程序相同的哈希算法（和盐）：

  $ user = $ this-> data ['User'] ['username']; 
 $ plainText = $ this-> data ['User'] ['password']; 
 
 $ user = current（$ this-> User-> findByUsername（$ username））; 
 
 Security :: setHash（'blowfish'）; 
 $ blowfished = Security :: hash（$ plainText，'blowfish'，$ user ['password']）; 
 
 if（$ blowfished === $ user ['password']）{
 return true; //用户存在，密码正确
} 
 
 $ oldSalt = Configure :: read（'configure.this'）; 
 $ md5ed = Security :: hash（$ plainText，'md5'，$ oldSalt）; 
 
 if（$ md5ed === $ user ['password']）{
 $ this-> User-> id = $ user ['id']; 
 
 $ blowfished = Security :: hash（$ plainText）; 
 $ this-> User-> saveField（'password'，$ blowfished）; 
 
 return true; //用户存在，密码现在更新为blowfish 
} 
 
 return false; //用户的密码不存在。 
  

这种逻辑不复杂，无需继续使用错误的哈希算法。 / p>

I have an existing website, built using CakePhp 1.3. In that website I have used MD5 algorithm for the password hash.

Now I want to upgrade my CakePhp version to 2.3.5, but I'm unable to use MD5 for the password hash.

I would like to know why I can't use MD5 in CakePhp 2.x. ?

解决方案

Don't use md5 for passwords

md5 is not an appropriate hashing algorithm for hashing passwords, don't use it. There are many, many references which explain why - including the php manual:

Why are common hashing functions such as md5() and sha1() unsuitable for passwords?

Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to "brute force" the output of these algorithms, in order to determine the original input.

Because of how quickly a modern computer can "reverse" these hashing algorithms, many security professionals strongly suggest against their use for password hashing.

How to change the default hash algorithm

You can change the default hashing algorithm using setHash, a recommended hash algorithm for passwords is blowfish:

Security::setHash('blowfish');

How to handle existing passwords

If you really want to, you can just change setHash to use md5.

But that's not a good idea.

Don't compromise the security of a new/updated application just to accommodate the poor security of the old one. Instead of using the same hash algoritm (and salt) as the previous application you can use logic such as the following (pseudo-ish code):

$username = $this->data['User']['username'];
$plainText = $this->data['User']['password'];

$user = current($this->User->findByUsername($username));

Security::setHash('blowfish');
$blowfished = Security::hash($plainText, 'blowfish', $user['password']);

if ($blowfished === $user['password']) {
    return true; // user exists, password is correct
}

$oldSalt = Configure::read('configure.this');
$md5ed = Security::hash($plainText, 'md5', $oldSalt);

if ($md5ed === $user['password']) {
    $this->User->id = $user['id'];

    $blowfished = Security::hash($plainText);
    $this->User->saveField('password', $blowfished);

    return true; // user exists, password now updated to blowfish
}

return false; // user's password does not exist.

This kind of logic is not complex, and prevents the need to continue using a bad hash algorithm.

这篇关于在Cakephp 2.x的Auth组件中使用Md5作为密码哈希的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！