doubo1711
doubo1711
2016-01-26 15:53
浏览 72
已采纳

那里有更简单的加密/解密哈希算法吗?

I have read on this great forum and several other places how difficult, if not impossible to decrypt with md5.

Unfortunately, I used md5 to hash our users' passwords:

 // hash to sanitize the input further
$password = md5($password);

Now, I am a bit of trouble because users who cannot remember their passwords, are not able to utilize our Recover password feature.

When they attempt to recover their password, they receive the encrypted password which is useless to them because they can't use it.

Given how difficulty, almost impossible it is to decrypt an md5 hash, is there a simpler encryption / decryption mechanism that someone could suggest that I try?

Pretty much in hot water now.

图片转代码服务由CSDN问答提供 功能建议

我已经阅读了这个伟大的论坛和其他几个地方,如果不是不可能用md5解密那么困难。

不幸的是,我使用md5来哈希用户的密码:

  // hash以进一步清理输入
 $ password = md5(  $ password); 
   
 
 

现在,我有点麻烦,因为无法记住密码的用户无法使用我们的恢复密码功能。

当他们尝试恢复密码时,他们会收到加密密码,这对他们来说是无用的,因为他们无法使用密码。

考虑到难度,几乎 不可能解密一个md5哈希,是否有一个更简单的加密/解密机制,有人可以建议我尝试?

现在几乎在热水中。 < / DIV>

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • douju2053
    douju2053 2016-01-26 16:01
    已采纳

    Unfortunately, I used md5 to has our users' passwords

    How is that unfortunate? That's what you're supposed to do. User passwords should be obscured behind a 1-way hash and not recoverable by anybody. Not even by you as the system owner/administrator.

    users who cannot remember their passwords, are not able to utilize our Recover password feature

    There should be no such thing as a "recover password feature". It's called a "reset password feature". You can change a user's password administratively. But you should never ever be able to read it.

    When they attempt to recover their password, they receive the encrypted password which is useless to them because they can't use it.

    But attackers can use it. Which is why you shouldn't be sending it out to anybody in the first place.

    is there a simpler encryption / decryption mechanism that someone could suggest that I try?

    Is doesn't get much simpler than:

    md5($password)
    

    It's one function call. Five keystrokes. It's really simple to use. And since you're already using it, you're good.

    Once you stop publishing your password hashes, you'll be all set on handling user passwords (at least as far as we know here). Keep up the great work! There are tons of services out there which don't properly obscure user passwords. Thank you for at least attempting it.


    Note: As users have pointed out (users who are far more familiar with PHP these days than I am), while using md5() directly is a step in the right direction, it's not the best you could be doing.

    Instead, take a look at PHP's built in password handling functionality. (Or, if you're using an older, pre-5.5 version of PHP, there's a compatibility pack which maintains the same functionality.) Jay Blanchard has written a handy article on its use here.

    The concept is the same, obscuring user passwords by means of a one-way hash. But the tooling has evolved considerably.

    点赞 评论

相关推荐