doubo1711
doubo1711
2016-01-26 15:53

那里有更简单的加密/解密哈希算法吗?

已采纳

I have read on this great forum and several other places how difficult, if not impossible to decrypt with md5.

Unfortunately, I used md5 to hash our users' passwords:

 // hash to sanitize the input further
$password = md5($password);

Now, I am a bit of trouble because users who cannot remember their passwords, are not able to utilize our Recover password feature.

When they attempt to recover their password, they receive the encrypted password which is useless to them because they can't use it.

Given how difficulty, almost impossible it is to decrypt an md5 hash, is there a simpler encryption / decryption mechanism that someone could suggest that I try?

Pretty much in hot water now.

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

1条回答

  • douju2053 douju2053 5年前

    Unfortunately, I used md5 to has our users' passwords

    How is that unfortunate? That's what you're supposed to do. User passwords should be obscured behind a 1-way hash and not recoverable by anybody. Not even by you as the system owner/administrator.

    users who cannot remember their passwords, are not able to utilize our Recover password feature

    There should be no such thing as a "recover password feature". It's called a "reset password feature". You can change a user's password administratively. But you should never ever be able to read it.

    When they attempt to recover their password, they receive the encrypted password which is useless to them because they can't use it.

    But attackers can use it. Which is why you shouldn't be sending it out to anybody in the first place.

    is there a simpler encryption / decryption mechanism that someone could suggest that I try?

    Is doesn't get much simpler than:

    md5($password)
    

    It's one function call. Five keystrokes. It's really simple to use. And since you're already using it, you're good.

    Once you stop publishing your password hashes, you'll be all set on handling user passwords (at least as far as we know here). Keep up the great work! There are tons of services out there which don't properly obscure user passwords. Thank you for at least attempting it.


    Note: As users have pointed out (users who are far more familiar with PHP these days than I am), while using md5() directly is a step in the right direction, it's not the best you could be doing.

    Instead, take a look at PHP's built in password handling functionality. (Or, if you're using an older, pre-5.5 version of PHP, there's a compatibility pack which maintains the same functionality.) Jay Blanchard has written a handy article on its use here.

    The concept is the same, obscuring user passwords by means of a one-way hash. But the tooling has evolved considerably.

    点赞 评论 复制链接分享

相关推荐