donglie1898 2011-03-17 18:35
浏览 99
已采纳

便携式(PHPass)密码哈希。 我应该使用它们吗?

I'm installing a user registration script (Tank Auth) for my website.

In the installation guide its says,

WARNING: By default the library generates strong system-specific password hashes that are not portable. It means that once created, user database cannot be dumped and exported to another server. This behavior can be changed in config-file as well.

This put me in a dilemma. In the future I may want to change servers but I don't want weak passwords either. Are portable password hashes a big risk? And more importantly, what do they mean by hashes? Is it the character length?

  • 写回答

1条回答 默认 最新

  • doucuyu2259 2011-03-17 18:39
    关注

    Task Auth uses PHPass for password hashing (an old version, that's not a good sign; you might want to update that in your install). PHPass has two modes, portable and bcrypt.

    Depending on the PHP version, you do not need to have portable hashes on. On PHP 5.3 and above, PHP supplies its own implementation of bcrypt if it isn't available on the system. If all your servers have PHP 5.3 and above, I highly recommend to turn portable hashes off. PHPass "portables hashes" exists because, depending of the version of PHP installed, bcrypt might not be available.

    That said, PHPass portable hashes does store the salt in its hash. That's why every run on the same password is different.

    Also, PHPass uses PHP_VERSION during the generation of those hashes* to check if the md5() function available with that version supports the $rawMode parameter. If it doesn't, pack() is use to transform the hexadecimal data into binary (note that this is considerably slower then simply using $rawMode, which is why the branch is made).

    Again, if all your servers are running PHP 5.3 and above, I highly recommend to turn off portable mode and let PHPass use bcrypt instead. Since PHP 5.3+ provides its own implementation when the system one isn't available, your hash will be checkable across OSes. Even if you do turn off portable mode, PHPass will still be smart enough to check your old hashes the proper way.

    * Line 131

    EDIT: For more explanation, here is how hashes in portable mode are generated (simplified, does not use actual variables found in PHPass, but accurate). Note that PHPass uses their own version of base64 encoding.

    1. $final = '$P$'

    2. $final .= encode64_int($rounds) (from constructor, minimum is 5 on PHP 5+, 3 other)

    3. $final .= genSalt() (Salt is 6 bytes... 8 bytes in "encode64" format).

    4. $hash = md5($salt . $password)

    5. For 2$rounds times, do $hash = md5($hash . $password)

    6. $final = encode64($hash)

    So the final hash essentially is this:

    $P$9IQRaTwmfeRo7ud9Fh4E2PdI0S3r.L0
\__________/\____________________/
  \                   \
   \                   \ Actual Hash
    \
     \  $P$   9   IQRaTwmf
        \_/   \   \______/
         \     \      \
          \     \      \ Salt
           \     \ 
            \     \ # Rounds (not decimal representation, 9 is actually 11)
             \
              \ Hash Header
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 求快手直播间榜单匿名采集ID用户名简单能学会的
  • ¥15 DS18B20内部ADC模数转换器
  • ¥15 做个有关计算的小程序
  • ¥15 MPI读取tif文件无法正常给各进程分配路径
  • ¥15 如何用MATLAB实现以下三个公式(有相互嵌套)
  • ¥30 关于#算法#的问题:运用EViews第九版本进行一系列计量经济学的时间数列数据回归分析预测问题 求各位帮我解答一下
  • ¥15 setInterval 页面闪烁,怎么解决
  • ¥15 如何让企业微信机器人实现消息汇总整合
  • ¥50 关于#ui#的问题:做yolov8的ui界面出现的问题
  • ¥15 如何用Python爬取各高校教师公开的教育和工作经历