Phpass - 无法访问所有密码的危险? [英] Phpass - danger of not being able to access all passwords?

问题描述

抱歉，这可能是愚蠢的，但我对 Phpass 有一些不了解.如果我可以像这样创建一个安全的散列密码:

Sorry, this may be dumb, but there is something I don't understand about Phpass. If I can create a secure hashed password like this:

$pwdHasher = new PasswordHash(8, FALSE);
$hash = $pwdHasher->HashPassword( $password );

然后像这样检查它:

$checked = $pwdHasher->CheckPassword($password, $hash); 

那么这意味着从逻辑上讲，密码必须以只能在特定机器上读取的方式存储(否则有人可以在另一台机器上使用CheckPassword"功能来获取密码).Phpass 如何做到这一点?

then that means that logically the passwords must be stored in such a way as they can only be read on a specific machine (otherwise someone could just use the "CheckPassword" function on another machine to get the password). How does Phpass do this?

如果我以后需要将网站移到新服务器上，这不会造成问题吗?如何安全地备份我的数据库，以便在服务器发生重大故障时，我可以恢复所有密码?(我是否遗漏了一些明显的东西?)

If I need to move a website to a new server in the future, doesn't this cause a problem? How do I safely backup my database such that in case of a major server failure, I can recover all the passwords? (Am I missing something obvious?)

编辑 - 针对下面的评论，如果不同的机器不影响它，那么如果黑客访问了我的数据库，为什么他们不能在自己的机器上执行 CheckPassword 来获取原始密码?对不起，我一定遗漏了一些明显的东西.

Edit - in response to the comments below, if different machines do not affect it then if a hacker gets access to my database, why can't they just execute CheckPassword on their own machine to get the original password? Sorry, I must be missing something obvious.

编辑 2 - 该死，我遗漏了一些明显的东西.比较函数只根据散列的密码检查给定的密码并返回 true 或 false - 您实际上不必访问密码本身.为自己的愚蠢道歉！

Edit 2 - Damn, I was missing something obvious. The compare function only checks the given password against the hashed one and returns true or false - you never actually have to have access to the password itself. Apologies for being dumb!

推荐答案

bcrypt 创建的散列使用模块化 crypt 格式，该格式不仅包含散列值，还包含所使用散列函数的指示符、轮数、以及用于创建哈希值的盐.在您的情况下，返回的字符串如下所示:

The hashes created by bcrypt use the modular crypt format that does not just contain the hash value but also an indicator of the used hash function, the number of rounds, and the salt that has been used to create the hash value. In your case the returned strings look like this:

$2a$08$sssssssssssssssssssssshhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh

这意味着您验证密码所需的一切都存储在此字符串中.

That means everything you need to verify a password is stored in this string.

攻击者之所以不能仅仅使用这个字符串并获得原始密码，是因为一个好的加密散列函数:生成具有给定散列的消息是不可行的."

The reason why attackers can’t just use this string and get the original password is because of one significant property of a good cryptographic hash functions: "it is infeasible to generate a message that has a given hash."

这篇关于Phpass - 无法访问所有密码的危险?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！