Cakephp 3.0 alpha2如何将新密码与旧密码进行比较? [英] Cakephp 3.0 alpha2 How to compare new password to old passwords?

问题描述

好的，所以我正在通过将我的应用程序(2.5)转移到3.x来测试Cakephp 3.0 alpha2.我当前的应用程序已对其进行了设置，因此，为了安全起见，当您重置密码时，不能将其更改为以前的六个密码(存储在由user_id连接该密码的密码表中)中的任何一个.当我查看Cake 3.0中的更改时，我注意到，如果您创建一个新实体，则即使该密码是相同的密码，其哈希也将有所不同.将新密码与旧密码进行比较的一种好方法是什么?我会使用名为check的内置密码哈希器吗?

Okay, so I am testing out Cakephp 3.0 alpha2 by transferring my application(2.5) to 3.x. My current application has it set up so that when you reset your password you cannot change it to any of the previous six passwords(stored in a passwords table that connects it by the user_id) for security purposes. As I look at the changes in Cake 3.0, I noticed that if you create a new entity that the password hashes differently even if it is the same password. What would be a good way to compare the new password to the old ones? Would I go about using the password hasher built in function called check?

推荐答案

CakePHP 3使用bcrypt.简而言之:bcrypt为每个密码使用不同的盐，并将盐存储为密码哈希的一部分.这就是为什么您发现，每次加密相同的纯文本密码时，bcrypt都会生成不同的哈希值.

CakePHP 3 uses bcrypt. In brief: bcrypt uses a different salt for each password, and stores the salt as part of the password hash. That is why, as you've found, bcrypt will generate a different hash each time the same plain-text password is encrypted.

但是，如果要用作身份验证系统，则必须检查明文密码是否适合该密码的给定散列版本-即使没有一个正确的"密码也是如此哈希版本，对不对?是的.

However, if it's to be of any use as an authentication system, you have to be able to check if a plain-text password 'fits' for a given hashed version of that password - even though there's not one single 'correct' hashed version, right? Right.

您可以使用password_verify方法- http://au2.php.net/password_verify

因此，您不必对纯文本版本进行散列并查看新密码的散列版本是否与过去6个版本的散列版本相匹配，而必须对纯文本密码调用6次password_verify -为每个先前的哈希密码输入一次，以查看是否有匹配项.

So, rather than hashing the plain-text version and seeing if the hashed version of the new password matches the hashed versions of each of the past 6 versions, you have to call password_verify on the plain-text password 6 times - once for each of the previous hashed passwords, to see if there are any matches.

此处在php中对bcrypt有一个很好的解释:您如何使用bcrypt在PHP中对密码进行哈希处理?我建议阅读以下内容-一旦您了解了bcrypt如何对待密码，那么您的问题就不会太难解决.

There's a good explanation of bcrypt in php here: How do you use bcrypt for hashing passwords in PHP? I'd recommend reading that - once you understand how bcrypt treats passwords, your problem shouldn't be too hard to solve.

这篇关于Cakephp 3.0 alpha2如何将新密码与旧密码进行比较?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！