php 解码hash sha256加密,知道salt
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18667393/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Decode hash sha256 encryption, knowing the salt
提问by franvergara66
I'm making a login system for a web application. To store passwords in the DB, I'm encrypting passwords using sha256 as follows:
我正在为 Web 应用程序制作登录系统。为了在数据库中存储密码,我使用 sha256 加密密码,如下所示:
$salt ="sometext";
$escapedPW="userpass";
$saltedPW = $escapedPW . $salt;
$hashedPW = hash('sha256', $saltedPW);
echo "<center>".$hashedPW."</center>";
In the database I am storing the user, the user's password and the salt used to make hash and validate the user's login. Right now I'm doing the functionality to send to the user an email with your password, but when the user receives the email, since is stored in sha256 encrypted password, the user receives a long string and not the password that the user is supposed to know.
在数据库中,我存储了用户、用户的密码和用于生成散列和验证用户登录的盐。现在我正在执行向用户发送带有密码的电子邮件的功能,但是当用户收到电子邮件时,由于存储在 sha256 加密密码中,用户会收到一个长字符串,而不是用户应该收到的密码知道。
My question is there any way that I can send you the actual user password and non the password encryption, ie, there is some way to do the reverse of sha256 if I know the salt?. If not possible, what method of encryption is recommended for you to complete the reverse of the encryption key and send the actual password to the user in an email.
我的问题是有什么方法可以向您发送实际用户密码和非密码加密,即,如果我知道盐,有什么方法可以执行 sha256 的反向操作?如果不可能,建议您使用哪种加密方法来完成加密密钥的反向并将实际密码通过电子邮件发送给用户。
采纳答案by Henrik Skogmo
As mentioned in the comments of your question, reversing the hash is not really an option.
正如您在问题的评论中所提到的,反转哈希并不是一种真正的选择。
What you can do however, and this is what everybody else does as well. In your registration code (ex. register.php) which your form post to you can make the PHP script send the password in an email and then encrypt it and store it in the database.
然而,你可以做什么,这也是其他人所做的。在您的表单发布的注册代码(例如 register.php)中,您可以让 PHP 脚本通过电子邮件发送密码,然后对其进行加密并将其存储在数据库中。
I suppose you have a registration form of some kind, and that form supposedly posts the new users details to another (or the same) php script, doesn't it?
我想您有某种注册表单,并且该表单应该将新用户的详细信息发布到另一个(或相同的)php 脚本,不是吗?
For example if my form said something like <form method="post" action="register.php">
例如,如果我的表格说的是 <form method="post" action="register.php">
And in register.phpI would then have something like
然后register.php我会有类似的东西
<?php
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']); /*cleartext*/
$email = mysql_real_escape_string($_POST['email']);
mail($email,"New account","Your username \"$username\" and your password is \"$password\"");
$salt ="sometext";
$escapedPW="userpass";
$saltedPW = $escapedPW . $salt;
$hashedPW = hash('sha256', $saltedPW);
mysql_query("INSERT INTO users (username, password, email) VALUES ($username, $hashedPW, $email)")
Some rough example code. I hope it helps!
一些粗略的示例代码。我希望它有帮助!
回答by Terrel Shumway
You should NEVER send plaintext passwords via email. Rather, send a time-limited, single-use "reset password" link, as suggested in the comments.
您永远不应该通过电子邮件发送明文密码。相反,按照评论中的建议,发送限时、一次性使用的“重置密码”链接。
You should notuse a simple hash as suggested by @Henrik. Use a standard adjustable-work password KDF (PBKDF2,bcrypt,scrypt)
你应该不使用一个简单的哈希通过@Henrik的建议。使用标准的可调整工作密码 KDF (PBKDF2,bcrypt,scrypt)
If you can use PHP 5.5, use the standard password hashing functions. There are hosts which do support PHP 5.5, but you have to look for them and ask for it.
如果您可以使用 PHP 5.5,请使用标准密码散列函数。有些主机确实支持 PHP 5.5,但您必须寻找它们并要求它。
There are many places on the web that explain how to do it correctly (e.g. https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Authentication) and many that explain how to do it incorrectly. PLEASE take some time to research this before you decide to roll your own authentication system.
网络上有很多地方解释了如何正确地执行此操作(例如https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Authentication)以及许多解释如何错误地执行此操作的地方。在您决定推出自己的身份验证系统之前,请花一些时间对此进行研究。
