想要将网站密码加密从 SHA1 转换为 SHA256 [英] Want to Convert a Website password Encryption from SHA1 to SHA256

问题描述

只是在寻找一些建议.我有一个拥有大约 2500 名用户的网站 - 规模虽小但仍在增长.我在密码上使用 SHA1 加密来构建它.从那以后，我读到 SHA1 是不安全的，并想更改为带盐的 SHA256.

just looking for some advise. I have a website with around 2500 users - small but growing. I built it with using SHA1 encryption on the passwords. I've since read the SHA1 is insecure and would like to change to say SHA256 with a Salt.

有人对如何进行这样的过渡有任何建议吗?如果我可以解密密码并重新对它们进行哈希处理，那就太好了，但它似乎无法做到.

Does anyone have any advice on how to make a transition like this? Would be great if I could decrypt the passwords and just re-hash them but it doesn't appear doing able.

谢谢亚当

推荐答案

通常的处理方式是:

1. 增大哈希密码列以容纳 sha256 哈希值，并添加一个盐"列
2. 最初将 salt 字段设置为 NULL，并调整您的密码检查代码，使 NULL 盐表示 sha1，非 NULL 表示 sha256
3. 一旦 sha1-use 成功登录，请使用 salt 将密码重新散列到 sha256，并更新数据库.

随着时间的推移，用户会自行迁移到sha256；唯一的问题是用户偶尔登录或根本不登录.对于这些，您可能想发送一封提醒电子邮件，甚至威胁说如果他们在第 X 天之前没有登录就关闭他们的帐户(但不要给出实际原因...)

Over time, users will migrate to sha256 by themselves; the only problem are users who log in only very sporadically or not at all. For these, you may want to send a reminder e-mail, or even threaten to shut their account down if they don't log in before day X (don't give the actual reason though...)

这篇关于想要将网站密码加密从 SHA1 转换为 SHA256的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！