doubo1711 2016-01-26 15:53
浏览 84
已采纳

那里有更简单的加密/解密哈希算法吗?

I have read on this great forum and several other places how difficult, if not impossible to decrypt with md5.

Unfortunately, I used md5 to hash our users' passwords:

 // hash to sanitize the input further
$password = md5($password);

Now, I am a bit of trouble because users who cannot remember their passwords, are not able to utilize our Recover password feature.

When they attempt to recover their password, they receive the encrypted password which is useless to them because they can't use it.

Given how difficulty, almost impossible it is to decrypt an md5 hash, is there a simpler encryption / decryption mechanism that someone could suggest that I try?

Pretty much in hot water now.

  • 写回答

1条回答 默认 最新

  • douju2053 2016-01-26 16:01
    关注

    Unfortunately, I used md5 to has our users' passwords

    How is that unfortunate? That's what you're supposed to do. User passwords should be obscured behind a 1-way hash and not recoverable by anybody. Not even by you as the system owner/administrator.

    users who cannot remember their passwords, are not able to utilize our Recover password feature

    There should be no such thing as a "recover password feature". It's called a "reset password feature". You can change a user's password administratively. But you should never ever be able to read it.

    When they attempt to recover their password, they receive the encrypted password which is useless to them because they can't use it.

    But attackers can use it. Which is why you shouldn't be sending it out to anybody in the first place.

    is there a simpler encryption / decryption mechanism that someone could suggest that I try?

    Is doesn't get much simpler than:

    md5($password)
    

    It's one function call. Five keystrokes. It's really simple to use. And since you're already using it, you're good.

    Once you stop publishing your password hashes, you'll be all set on handling user passwords (at least as far as we know here). Keep up the great work! There are tons of services out there which don't properly obscure user passwords. Thank you for at least attempting it.


    Note: As users have pointed out (users who are far more familiar with PHP these days than I am), while using md5() directly is a step in the right direction, it's not the best you could be doing.

    Instead, take a look at PHP's built in password handling functionality. (Or, if you're using an older, pre-5.5 version of PHP, there's a compatibility pack which maintains the same functionality.) Jay Blanchard has written a handy article on its use here.

    The concept is the same, obscuring user passwords by means of a one-way hash. But the tooling has evolved considerably.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 cplex运行后参数报错是为什么
  • ¥15 之前不小心删了pycharm的文件,后面重新安装之后软件打不开了
  • ¥15 vue3获取动态宽度,刷新后动态宽度值为0
  • ¥15 升腾威讯云桌面V2.0.0摄像头问题
  • ¥15 关于Python的会计设计
  • ¥15 聚类分析 设计k-均值算法分类器,对一组二维模式向量进行分类。
  • ¥15 stm32c8t6工程,使用hal库
  • ¥15 找能接spark如图片的,可议价
  • ¥15 关于#单片机#的问题,请各位专家解答!
  • ¥15 博通raid 的写入速度很高也很低