如何升级密码存储方案(更改散列算法) [英] How to upgrade a password storage scheme (change hashing-algorithm)

问题描述

我被要求对内部网站进行一些更改/更新；让它成为他们所说的未来证明".

I've been asked to implement some changes/updates to an intranet-site; make it 'future proof' as they call it.

我们发现密码是使用 MD5 算法散列的.(该系统自 2001 年以来一直存在，因此当时已经足够了).
我们现在想将散列算法升级为更强的算法(BCrypt-hash 或 SHA-256).

We found that the passwords are hashed using the MD5 algorithm. (the system has been around since 2001 so it was adequate at time).
We would now like to upgrade the hashing-algorithm to a stronger one (BCrypt-hash or SHA-256).

我们显然不知道明文密码并且为用户群创建新密码不是一种选择^*).

We obviously do not know the plaintext-passwords and creating a new password for the userbase is not an option^*).

所以，我的问题是:

在无法访问明文密码的情况下更改散列算法的可接受方法是什么?
最好的解决方案是完全幕后"的解决方案.

What is the accepted way to change hashing-algorithm without having access to the plaintext passwords?
The best solution would be a solution that is entirely 'behind the scenes'.

<子>*) 我们尝试了;试图说服他们，我们使用密码年龄"的论点，试图用咖啡贿赂他们，试图用蛋糕贿赂他们，等等.但这不是选项.

更新
我希望有某种自动解决方案来解决这个问题，但显然除了等待用户登录，然后转换"之外没有其他选择.

Update
I was hoping for some sort of automagic solution for solving the problem, but apparently there are no other options than just 'wait for the user to log in, then convert'.

好吧，至少现在我没有其他可用的解决方案.

Well, at least now I now there is no other solution available.

推荐答案

首先，在 DB 中添加一个字段，以识别密码是否使用 MD5 或新算法.

First, add a field to the DB to identify whether or not the password is using MD5 or the new algorithm.

对于仍然使用 MD5 的所有密码:

For all passwords still using MD5:

-- 在登录过程中，您验证用户输入的密码:将用户提交的密码临时存储在内存中(这里没有安全问题，因为它已经在内存中的某处)并执行通常的 MD5 散列 &与存储的哈希进行比较；

-- In the login process, where you verify a user's entered password: temporarily store the user's submitted password in memory (no security issue here, as it is already in memory somewhere) and do the usual MD5 hash & compare with the stored hash;

-- 如果给出了正确的密码(与现有哈希匹配)，则通过新算法运行临时存储的密码，存储该值，更新新字段以标识此密码已更新为新算法.

-- If the correct password was given (matches the existing hash), run the temporarily stored password through the new algorithm, store that value, update the new field to identify that this password has been updated to the new algorithm.

(当然，您只需将新算法用于任何新用户/新密码.)

(Of course you would just use the new algorithm for any new users/new passwords.)

这篇关于如何升级密码存储方案(更改散列算法)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！