I need to prevent reuse of password hash by another user, for example if a user can create his hash (knowing the password of curse) if he gained access to the database and replace someone else's hash with his, he will be able to log in as that user I was wondering if adding the id of the user to the hash will be good practice, if not, what else can I do? thank you.
1条回答 默认 最新
douyu7618 2015-05-11 13:23关注If someone can substitute the credentials in your database, and if this is the only thing that determines access to your system, then, yes, the user can cause your system to accept whatever password he chooses.
This is one important reason why many production systems ... used within a company ... and many of the back-side "plumbing" layers of public-facing systems ... do not use passwords of any sort to handle authentication or authorization. Instead, they use "trusted third-party authority" techniques such as LDAP (OpenDirectory) or Kerberos. No one is "whispering magic-words to one another" at any point.
In this scenario, both "authentication" (verifying who the requesting user actually is), and "authorization" (establishing what he can do) are not handled by logic within the systems themselves: these tasks are delegated to a centrally managed corporate authority. There is the concept of a "single sign-on." There are no "passwords" to steal. Even if the system requires the user to respond to a personal-challenge, e.g. to enter a password as part of the procedure, the central authority (software layer) manages everything: providing the challenge, interpreting the response, knowing that a correct response was timely given, and so forth.
These are robust technologies with peer-reviewed, trustworthy implementations that are also cross-platform and industry standard. They're very comprehensive. When you "swipe your badge" to get into your building every morning, they're probably what actually unlocks the door. They can be accessed by PHP, and/or by whatever web-server service is running your PHP application.
本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏举报
分享
- 2015-05-11 12:54回答 1 已采纳 If someone can substitute the credentials in your database, and if this is the only thing that det
- 2017-02-08 18:11回答 1 已采纳 You should never encrypt passwords, you should only hash them. Encryption implies that you can dec
- 2018-07-12 07:21回答 1 已采纳 Wordpress provides a default function wp_hash_password(); Example: $password = 'admin'; $hash_pa
- 2024-04-01 16:10这货不是陈进坚的博客 php面试题汇总
- 2015-10-25 23:58回答 1 已采纳 It's hard to understand what you're asking, but I bet you want to hash the value of $password befo
- 2015-06-03 09:47回答 2 已采纳 <?php // you should put your db connection stuff here require('connect.php'); //you create a
- 2015-06-12 11:09回答 2 已采纳 As has been pointed out serveral times to you in the comments you should never store passwords as
- 2022-09-05 17:49后端木木的博客 php面试题大全、PHP - 经典面试题大全,看这一篇就够了
- 2016-04-10 18:31回答 2 已采纳 You need to use password_verify for verifying if password is correct or not. Something like this
- 2015-03-10 19:13回答 1 已采纳 There's a lot of hate in the OP's comments. But it's misdirected - OP is not trying to decode anyt
- 2016-06-25 12:04回答 3 已采纳 Okay so basically to explain how password_verify works: The first parameter is a non-hashed passw
- 2023-04-24 12:15青木客的博客 php的面试集结(会持续更新)
- 2014-01-02 10:13回答 1 已采纳 Use this to hash the password: $this->data['User']['password'] = AuthComponent::password(
- 2022-10-25 10:42lvshuocool的博客 一、安装PHP的redis扩展1)PHP的redis扩展有2个,分别是phpredis和predis扩展;2)phpredis需要下载扩展->编译安装,而predis不用,直接下载便可以操作默认在项目中还是采用官方的phpredis,本文也给出predis的使用...
- 2022-03-30 11:35勤天的博客 目录 一、安装PHP的redis扩展 1、linux下安装php的redis扩展 2、windows下安装php的redis扩展 ... predis使用的原生的PHP代码实现的一套Redis-client程序,可以不用安装任何扩展,只引入php代码就
- 没有解决我的问题, 去提问
悬赏问题
- ¥15 改算法,照着压缩包里边,参考其他代码封装的格式 写到main函数里
- ¥15 用windows做服务的同志有吗
- ¥60 求一个简单的网页(标签-安全|关键词-上传)
- ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法
- ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
- ¥100 为什么这个恒流源电路不能恒流?
- ¥15 有偿求跨组件数据流路径图
- ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
- ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
- ¥15 一直显示正在等待HID—ISP