django:将未加盐的md5(不含盐)哈希值转换为pbkdf2 [英] django: convert unsalted md5 (without salt) hash to pbkdf2
问题描述
我有一个旧数据库,其中用md5哈希了用户密码,没有盐.现在,我正在将该项目转换为django,需要更新密码而不要求用户登录.
I have an old database where user passwords were hashed with md5 without salt. Now I am converting the project into django and need to update passwords without asking users to log in.
我写了这个哈希器:
from django.contrib.auth.hashers import PBKDF2PasswordHasher
class PBKDF2WrappedMD5PasswordHasher(PBKDF2PasswordHasher):
algorithm = 'pbkdf2_wrapped_md5'
def encode_md5_hash(self, md5_hash, salt):
return super().encode(md5_hash, salt)
并转换密码,例如:
for data in old_user_data:
hasher = PBKDF2WrappedMD5PasswordHasher()
random_salt = get_random_string(length=8)
# data['password'] is e.g. '972131D979FF69F96DDFCC7AE3769B31'
user.password = hasher.encode_md5_hash(data['password'], random_salt)
但是我无法使用我的测试用户登录.
but I can't login with my test-user.
有什么想法吗?:/
推荐答案
恐怕您无法使用此功能.散列严格是单向的,因此无法从一种散列转换为另一种散列.当用户登录时,您将必须一次将这些密码更新为新的哈希值.
I'm afraid you cannot do what you want with this. Hashing is strictly one-way, so there is no way to convert from one hash to another. You WILL have to update these passwords to the new hash one-by-one as users log in.
实施此更改的合适策略是:
A decent strategy for implementing this change is:
- 将所有现有哈希标记为md5.您可以只使用某种布尔标志/列,但是对此有一个公认的标准: https://passlib.readthedocs.io/zh-CN/stable/modular_crypt_format.html
- 用户登录时,首先检查他们具有的哈希类型,然后计算该哈希,以对他们进行身份验证.如果它们仍然是md5,请计算md5进行登录;否则,请执行md5命令.如果他们现在正在使用pbkdf2,请改为计算该哈希值.
- 对密码进行身份验证后,如果仍然将其标记为md5,请计算新格式的哈希并将其替换-确保现在将其标记为pbkdf2.
重要提示:在将其发布之前,您将需要对其进行彻底的测试.如果输入有误,则可能会破坏所有登录用户的凭据.我建议暂时保留旧的md5哈希值的副本,直到确认生产稳定为止,但绝对确定要完全销毁该副本.只要存在md5散列,您的用户密码都是不安全的.
IMPORTANT: You will want to test this thoroughly before you release it to the wild. If you make a mistake, you might destroy the credentials of any user logging in. I would recommend temporarily retaining a copy of the old md5 hashes until you confirm production is stable, but make absolutely certain you destroy this copy completely. Your users passwords are not safe as long as the md5 hashes exist whatsoever.
这篇关于django:将未加盐的md5(不含盐)哈希值转换为pbkdf2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
