duanbage2161 2010-11-09 14:21
浏览 153
已采纳

使用salt验证用户登录

I'm using salt to encrypt my users' passwords. I'm using PHP, and here's a quick sample of what happens during a users registers.

Here it is:

PHP code:

    // Gives me my random key. My salt generator.
    $salt = uniqid(mt_rand());

    // My password via what users inputs.
    $userpwd;

    // Then the encryption. I use a HMAC hash.
    $encrypted = hmac_hash("sha256", $userpwd, $salt);
?>

Now that all works for me in my script. But my question is, how do I authenticate a user logging in? The new encrypted password is random, so I can't compare the password from the login form to the saved encrypted password in the database.

I've searched and can't find a solution. Maybe I haven't searched hard enough, but is there a way to decrypt the password? What can I do to authenticate the user with my script?

  • 写回答

6条回答 默认 最新

  • dongsechuan0535 2010-11-09 14:24
    关注

    You hash the user's inputted password the same way, then compare if the hash is the same as the one you stored.

    if (hmac_hash("sha256", $_POST['password'], $saltFromDatabase) === $hashFromDatabase)
    $login = true;

    You also have to store the salt since it's different for each user. I would also recommend using a second salt that is constant across the application (stored on a hard config file, so that even if the database is compromised, the passwords are still safe).

    Note: Hashing is not the same as encryption; It is an irreversible process.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(5条)

报告相同问题?

悬赏问题

  • ¥15 有了解d3和topogram.js库的吗?有偿请教
  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 unity第一人称射击小游戏,有demo,在原脚本的基础上进行修改以达到要求
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看
  • ¥15 关于#Java#的问题,如何解决?
  • ¥15 加热介质是液体,换热器壳侧导热系数和总的导热系数怎么算
  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥15 cmd cl 0x000007b
  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line