想要将网站密码加密从 SHA1 转换为 SHA256 [英] Want to Convert a Website password Encryption from SHA1 to SHA256
问题描述
只是在寻找一些建议.我有一个拥有大约 2500 名用户的网站 - 规模虽小但仍在增长.我在密码上使用 SHA1 加密来构建它.从那以后,我读到 SHA1 是不安全的,并想更改为带盐的 SHA256.
just looking for some advise. I have a website with around 2500 users - small but growing. I built it with using SHA1 encryption on the passwords. I've since read the SHA1 is insecure and would like to change to say SHA256 with a Salt.
有人对如何进行这样的过渡有任何建议吗?如果我可以解密密码并重新对它们进行哈希处理,那就太好了,但它似乎无法做到.
Does anyone have any advice on how to make a transition like this? Would be great if I could decrypt the passwords and just re-hash them but it doesn't appear doing able.
谢谢亚当
推荐答案
通常的处理方式是:
- 增大哈希密码列以容纳 sha256 哈希值,并添加一个盐"列
- 最初将 salt 字段设置为 NULL,并调整您的密码检查代码,使 NULL 盐表示 sha1,非 NULL 表示 sha256
- 一旦 sha1-use 成功登录,请使用 salt 将密码重新散列到 sha256,并更新数据库.
随着时间的推移,用户会自行迁移到sha256;唯一的问题是用户偶尔登录或根本不登录.对于这些,您可能想发送一封提醒电子邮件,甚至威胁说如果他们在第 X 天之前没有登录就关闭他们的帐户(但不要给出实际原因...)
Over time, users will migrate to sha256 by themselves; the only problem are users who log in only very sporadically or not at all. For these, you may want to send a reminder e-mail, or even threaten to shut their account down if they don't log in before day X (don't give the actual reason though...)
这篇关于想要将网站密码加密从 SHA1 转换为 SHA256的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!