duanbage2161 2010-11-09 14:21
浏览 153
已采纳

使用salt验证用户登录

I'm using salt to encrypt my users' passwords. I'm using PHP, and here's a quick sample of what happens during a users registers.

Here it is:

PHP code:

    // Gives me my random key. My salt generator.
    $salt = uniqid(mt_rand());

    // My password via what users inputs.
    $userpwd;

    // Then the encryption. I use a HMAC hash.
    $encrypted = hmac_hash("sha256", $userpwd, $salt);
?>

Now that all works for me in my script. But my question is, how do I authenticate a user logging in? The new encrypted password is random, so I can't compare the password from the login form to the saved encrypted password in the database.

I've searched and can't find a solution. Maybe I haven't searched hard enough, but is there a way to decrypt the password? What can I do to authenticate the user with my script?

  • 写回答

6条回答 默认 最新

  • dongsechuan0535 2010-11-09 14:24
    关注

    You hash the user's inputted password the same way, then compare if the hash is the same as the one you stored.

    if (hmac_hash("sha256", $_POST['password'], $saltFromDatabase) === $hashFromDatabase)
        $login = true;
    

    You also have to store the salt since it's different for each user. I would also recommend using a second salt that is constant across the application (stored on a hard config file, so that even if the database is compromised, the passwords are still safe).

    Note: Hashing is not the same as encryption; It is an irreversible process.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(5条)

报告相同问题?

悬赏问题

  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?