PHP:当用户单击使用md5加密的忘记密码时,如何将原始密码发送给用户? [英] PHP:How to send the original password to the user when he clicks forgot password which is encrypted by using md5?
问题描述
我正在使用md5加密项目中的密码.
I am using md5 to encrypt the passwords in my project.
当用户单击忘记密码"并提交他的电子邮件时,我必须将他的密码发送给他.
When user clicks on forgot password and submits his email,I have to send His password to him.
但是密码是使用md5加密的.不应生成新密码.因为在此项目中,管理员可以看到用户的所有详细信息.因此,我必须将原始密码显示给Admin.因此,初始密码非常重要.那么我该如何解密密码或以其他方式向他发送原始密码?
But the password is encrypted using md5.Generating new password should not do.Because In this project admin can see all the details of the user. So i have to show the original password to Admin. So The initial password is very important. SO how can i decrypt the password or any other way to send him original password?
预先感谢...
推荐答案
散列并非设计为可解密的,这就是为什么它们通常被称为单向散列"而不是仅散列的原因.
Hashes are not designed to be decrypted, which is why they're often referred to as "one-way hashes" instead of just hashes.
相反,要么...
-
生成一个新密码,对它进行哈希处理,将新密码哈希存储在旧密码中,然后将新生成的密码通过电子邮件发送给用户.
Generate a new password, hash that, store the new password hash in place of the old one, and email the newly generated password to the user.
生成一个新密码,对其进行哈希处理,然后将其存储在临时密码字段中,然后当用户使用该密码登录时,提示他们输入永久的新密码.
Generate a new password, hash it, store it in a field for temporary passwords, and then when the user logs in with that password, prompt them to enter a permanent new password.
生成 nonce ,将其存储在现时字段中,然后通过电子邮件发送用户与该随机数的链接,该链接将使他们能够访问页面以输入新密码.
Generate a nonce, store it in a field for the nonce, and email the user a link with that nonce which will give them access to a page to enter a new password.
第三个选项可能是最好的选择,因为它不会在普通视图中为阅读用户电子邮件的人留下实际的密码(临时密码或非临时密码),并且由于使用了随机数,因此一旦使用它不能再次被恶意用户使用.
The third option is probably the best all around, since it doesn't leave an actual password (temporary or not) in plain view to someone reading the user's email, and since it utilizes a nonce, once it has been used it can't be used again by a malicious user.
将哈希用于密码的原因是专门防止密码存储为恶意用户仅通过查看数据库即可确定密码的形式.
The reason hashing is used for passwords is specifically to prevent them from being stored in a form where a malicious user could determine the password simply by looking at the database.
因此,我必须向Admin显示原始密码."
如果您对密码进行哈希处理,则不可能.通常,允许管理员查看用户的密码实际上是一个坏主意,因为很大比例的用户倾向于将相同的密码用于多个事物,而一个事物的管理员(例如,公司网络)可能不是许多其他事物(例如,用户的在线银行系统)的管理员.
If you are hashing the password, this is not possible. In general, it is actually a bad idea to allow administrators to see users' passwords, because a large percentage of users tend to utilize the same password for multiple things, and the administrator of one thing (say, a company network) is probably not the administrator of many other things (say, a user's online banking system).
MD5不是加密算法,它是散列算法.两者是不相同的.加密被设计为可逆的(因此有一个补充术语解密"),而哈希被设计为仅单向的.
MD5 is not an encryption algorithm, it is a hashing algorithm. The two are not the same; encryption is designed to be reversible (hence the complementary term "decryption"), whereas hashing is designed to be one-way only.
这篇关于PHP:当用户单击使用md5加密的忘记密码时,如何将原始密码发送给用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
