Drupal 7密码哈希 [英] Drupal 7 password hash
问题描述
这里的挑战是,我们在使用类似凭据的同伴网站中使用同一组用户但不同的技术[请不要责怪我这个,我只是一个典当]。
现在,如果我知道Drupal如何加密密码,也许我可以解密它们,并将其应用在后端逻辑中?
请注意,这些密码是散列,未加密。散列和加密之间的根本区别在于,通过加密,您将能够恢复原始密码。当它们被哈希(不是没有太多的努力),而且这是设计时,你将无法做到这一点。
想想哈希棕色:如果你做了一个哈希棕色,你将无法获得原来的土豆回来。这样做,以便如果黑客破坏您的系统并获取对数据库的访问权限,则他们将无法查看或恢复原始密码。
那么如何一个用户是否输入正确的密码?那么当用户尝试登录并输入密码时,您将相同的功能应用于用户输入,并查看输出是否与数据库中存储的输出相同。由于散列函数是确定性的,所以您将始终使用相同的输入获得相同的输出。
使多个应用程序使用相同散列码的关键是在尝试验证用户时对密码使用相同的功能。 Drupal也可能使用一个或多个盐,但这并不重要。只要您的应用程序使用相同的逻辑,哈希将始终完全兼容。
假设Drupal使用类似这样的身份验证系统(非常简化的伪 - ish code):
/ *
输入:用户输入$ username和$ password
输出:如果授权,则为true,否则为
* /
函数auth($ username,$ password)
{
$ salt ='some random salt'
//输入被清理某处,不知何故
$ hash_from_db = db_result('SELECT hash FROM users WHERE username =$ username');
$ hashed_input = sha1($ password。$ salt);
if($ hash_from_db!= $ hashed_input)
return false;
else
返回true;
}
如果您的其他应用程序使用完全相同的方式来验证其用户,工作正常请注意,Drupal的身份验证方案可能会更复杂,但不要让您迷惑。这就是Drupal所做的一样的事情。
对于Drupal,您可以在这里开始: user_hash_password() 。
I have a bit of a dilemma here. I have a drupal 7 database table of users, with corresponding passwords. All these passwords have been naturally encrypted. My assumption is that these are MD5 hashes, but not quite.
The challenge here is that, we are utilizing the same set of users in a companion website that uses similar credentials but a different technology [please don't blame me for this, I a mere pawn].
Now if I knew how Drupal goes about encrypting its passwords, maybe I could decrypt them and apply the same in my backend logic?
Note that these passwords are hashed, not encrypted. The fundamental difference between hashing and encryption is that with encryption you would be able to recover the original password. You won't be able to do that when they are hashed (not without a lot of effort), and that's by design.
Think of hash browns: if you've made a hash brown, you won't be able to get the original potatoes back. This is done so that if a hacker compromises your system and gains access to the database, they won't be able to see or recover the original passwords.
So how does one check if the user entered the correct password? Well, when the user tries to log in and enters a password, you apply the same functions to the user input and see if the output is the same thing as what's stored in the database. Since hashing functions are deterministic, you'll always get the same output with the same input.
The key to getting multiple applications to work with the same hashes is have them use the same functions on the passwords when attempting to authenticate a user. Drupal probably also uses one or more salts - but that's not important. As long as the same logic is used by your applications, the hashes will be always fully compatible.
Suppose Drupal uses something like this as its authentication system (very simplified pseudo-ish code):
/*
input: user-entered $username and $password
output: true if authorized, false otherwise
*/
function auth($username, $password)
{
$salt = 'some random salt';
// input is sanitized somewhere, somehow
$hash_from_db = db_result('SELECT hash FROM users WHERE username = "$username"');
$hashed_input = sha1($password . $salt);
if ($hash_from_db != $hashed_input)
return false;
else
return true;
}
If your other application uses the exact same thing to authenticate its users, it will work fine. Note that Drupal's authentication scheme will probably be a lot more complex, but don't let that faze you. It's just about doing the same thing Drupal does.
For Drupal, here's where you can start: user_hash_password().
这篇关于Drupal 7密码哈希的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
