如何将密码迁移到不同的哈希方法 [英] How to migrate passwords to a different hashing method

问题描述

在更改应用程序的密码哈希算法时，系统应如何迁移已保存在数据库中的值?我很清楚我无法以散列形式迁移它们，但我需要输入数据才能计算新的散列.

When changing the password-hashing algorithm for an application, how should the system migrate the values already saved in the database? I am well aware of the fact that I can't migrate them in their hashed form but that I need to have the input data in order to calculate the new hash.

有两种情况我可以访问输入数据:

There are two situations in which I have access to the input data:

1. 登录时
2. 当用户在个人资料设置中更改密码时

显然，只有在其中一个过程中，我才能将新哈希保存到数据库中以迁移密码.

obviously only during one of these I am able to save the new hash to the database to migrate the password.

虽然我所有的同事都在投票支持方法一，但我的直觉告诉我不要那样做.有推荐的方法吗?

Although all of my colleagues are voting for method one my gut tells me to not do that. Is there a recommended way?

推荐答案

我认为没有理由不在登录时执行此操作.你有理由不想做#1吗?您验证新的哈希，如果失败，验证旧的哈希算法.如果可行，那么我将在旧哈希上写入新哈希.这意味着您的密码将被更快地转换，因为用户登录的次数可能比更改密码的次数要多.除非你强迫人们这样做，否则我怀疑大多数人会自己改变它.

I see no reason not to do this on logon. Is there a reason you don't want to do #1? You validate against the new hash, if that fails, validation against the old hash algorithm. If that works, I'd then write the new hash over the old one. This means that your passwords will be converted faster, since users probably logon more than they go to change their password. Unless you force people to, I doubt most will change it on their own.

这篇关于如何将密码迁移到不同的哈希方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！