检查数据库密码的过程是什么? [英] What is the process of checking passwords in databases?

问题描述

我知道，这是一个简单的问题，也许与其他问题相似，但是我在这些问题中找不到我的答案，所以我要问一个新的问题.

I know, this is a simple question, and maybe it is similar to others, but I couldn't find my answer in those, so I`m asking new one.

我想了解检查数据库密码的过程.我知道他们使用加密和哈希算法，但是我不明白他们如何检查这些存储的值并将它们与输入字段中提供的用户密码进行比较以进行验证?

I would like to understand the process of checking passwords in databases. I know they use encryption and hashing algorithms, but I can't understand how they can check those stored values and compare them with user`s passwords provided in input fields to verify them?

例如，正如我在此处获得的许多答案中所读到的那样，您无法检测到MD5哈希密码，而那些密码只有一种直接算法，那么数据库如何使用这些哈希值?

As I have read here in many answers, for example, you can't detect the MD5 hashed password and those have one direct algorithm, so how database use those hash?

推荐答案

在检查用户名/密码组合时，登录信息通过POST发送到服务器.然后，服务器端脚本(如果构建正确)将重新应用与它们最初用于散列信息的逻辑相同.

When checking a username / password combination, the login information is sent to the server via POST. The server-side scripts will then (if built correctly) reapply the same logic that they used to hash the information in the first place.

例如，如果脚本在注册期间调用md5($password)，则用户密码将存储在MD5的数据库中.尝试以该用户身份登录时，登录脚本必须POST相同的注册哈希方法-在本例中为md5($password)，以便可以将两个MD5字符串相互比较.

For example, if a script calls md5($password) during registration, the user's password will be stored in the database in MD5. When attempting to login as this user, the login script must POST the same registration hashing method - in this case, md5($password), so that the two MD5 strings can be compared against one another.

通过这种方式，您比较散列值.由于将相同的哈希机制应用于相同的字符串将始终给出相同的哈希输出，因此，通过简单地比较相同的哈希，您将比较相同的原始字符串.这样您才能知道用户是否获得了正确的密码.

In this way, you're comparing the hashed values. Because applying the same hashing mechanism to the same string will always give the same hashed output, by simply comparing the same hash you'll be comparing the same original string. This is how you know whether the user got the right password or not.

此外，请记住，加密和散列是 不是同一件事 .如果您知道加密中使用的密钥，解密就变得微不足道了.相反，哈希是单向加密，因此破解"哈希的唯一方法是用蛮力(猜测密码可能是什么，然后比较密码).散列的输出).

Also, keep in mind that encryption and hashing are not the same thing. If you know the key used in encryption, decryption becomes trivial. Conversely, a hash is a one-way encryption, so the only way to 'crack' a hash is with brute force (guessing what the password might be and then comparing the hashed outputs).

最后，请注意，MD5是 高度不安全 (即使有盐)和应该不要用于密码存储.相反，您应该考虑 password_hash() 和 password_verify() (如果使用PHP)以及诸如PASSWORD_BCRYPT或PASSWORD_ARGON2I的安全算法.

Finally, note that MD5 is highly insecure (even with a salt) and should NOT be used for password storage. Instead, you should consider password_hash() and password_verify() (if using PHP) along with a secure algorithm like PASSWORD_BCRYPT or PASSWORD_ARGON2I.

这篇关于检查数据库密码的过程是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！