doupingzhi9674
2012-01-25 01:31
浏览 76
已采纳

所有md5哈希都是一样的吗?

If I create an md5 hash for a string on one cpmputer using a bash script, will that same string create the same md5 hash if I were to cerate an md5 hash via a php script on another computer? I'm trying to write a script on one computer and port it to another. That script will create an md5 hash for a user password. Then, a seperate web page will ask for a username and password. As I do not want to store the raw password I'd like to store the hash, have the php script compute the hash for the password that the user enters, and grant access if they match up. Should this theoretically work, or are there issues that I need to consider?

图片转代码服务由CSDN问答提供 功能建议

如果我使用bash脚本在一个cpmputer上为字符串创建md5哈希,那么同一个字符串是否会创建相同的字符串 md5哈希,如果我通过另一台计算机上的PHP脚本调用md5哈希? 我正在尝试在一台计算机上编写脚本并将其移植到另一台计算机上。 该脚本将为用户密码创建md5哈希。 然后,单独的网页将要求输入用户名和密码。 因为我不想存储我希望存储哈希的原始密码,所以让php脚本计算用户输入的密码的哈希值,并在它们匹配时授予访问权限。 理论上这应该有用吗,还是我需要考虑的问题?

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

3条回答 默认 最新

  • douzhuoxia0587 2012-01-25 01:33
    已采纳

    Yes, MD5 checksums are platform agnostic and will produce the same value every time on the same file/string/whatever.

    However, you may want to reconsider your scheme. At least salt your hashes. There is tons of advice for username/password storage schemes on StackOverflow.

    已采纳该答案
    评论
    解决 无用
    打赏 举报
  • dongsha2792 2012-01-25 01:33

    Yes, in theory that should work. MD5 is a hashing algorithm, so as long as it's using MD5 for both ends, it should work no problem.

    There are other, more secure hashing algorithms you might want to consider, like SHA for example. And, as the comments above suggest, you should always salt your hashes to add an extra layer of security...

    评论
    解决 无用
    打赏 举报
  • dongnao9525 2012-01-25 02:14

    Yes, provided you hash the same sequence of bytes on each platform. Consider this, for example:

    $ echo 'P4$$w0rd' | md5
    9bb60af76b036e37a6d2626868c8c101
    $ printf 'P4$$w0rd' | md5
    640e5a3b9f9e4d667456c4e68194d6a2
    

    Why are the hashes different? Because echo put a newline (ascii LF character) at the end of the string, while printf didn't. You need to make sure that all platforms are encoding the password the same way (i.e. ISO-8859-1 vs. UTF-8 vs. UTF-16 vs. UTF-8 with BOM...), and if anything's added (like the newline) it should be consistent (e.g. Windows tends to use CRLF at the end of lines, instead of just LF...).

    Also, as @Mitch Wheat mentioned, for password storage you really should salt the hash (i.e. hash some random data together with the password, then store the random data and the hash). Something stronger than MD5 would be good as well, but that's not nearly as important. Here's a completely quick-and-dirty implementation:

    # generate the hash:
    read -s -p "Enter a password:" password
    echo
    salt="$RANDOM"  # Really should use something more random here...
    hashedpw="$salt,$(printf "%s|%s" "$salt" "$password" | md5)"
    
    echo "The salted hash is $hashedpw"
    
    # check the hash:
    read -s -p "Try to reenter the password:" testpassword
    echo
    salt="${hashedpw%%,*}"
    hashonly="${hashedpw#*,}"
    if [ "$hashonly" = "$(printf "%s|%s" "$salt" "$testpassword" | md5)" ]; then
        echo "That was the same password"
    else
        echo "That was not the same password"
    fi
    

    EDIT: here's a better way of generating a random salt, although it's probably not as portable:

    salt="$(dd if=/dev/random bs=16 count=1 2>/dev/null | od -x | sed 's/^[0-9]*//' | tr -d $' \t
    ')"
    

    If you want even more randomness, just increase the bs=16 parameter; that controls the number of bytes of random data that's used.

    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题