Implementing a service that posts a user's ID and an MDG-hashed password to my server for verification.
We store hashes passwords that are generated using the password_hash() function in PHP >5.5.
Is there any way to verify the MD5 hash and our hash point to the same password?
Normally, a password would be submitted to us via a login form and we would verify with password_verify() but without the password in plain text I'm at a bit of a loss.
分享 Normally, a password would be submitted to us via a login form and we would verify with password_verify() but without the password in plain text I'm at a bit of a loss.
As long as you use secure transport (SSL), this won't be an issue. That's the standard way that this is done. Otherwise you'll need to implement the hashing mechanism used by password_hash() in your client. Doing this wouldn't make your security scheme any better. It's still susceptible to replay attacks.
Also, you should stay away from MD5 because it's broken.
分享
