在 Cakephp 2.x 的 Auth 组件中使用 Md5 进行密码哈希
我有一个现有的网站,使用 CakePhp 1.3 构建.在那个网站上,我使用了 MD5 算法作为密码哈希.
I have an existing website, built using CakePhp 1.3. In that website I have used MD5 algorithm for the password hash.
现在我想将我的 CakePhp 版本升级到 2.3.5,但我无法将 MD5 用于密码哈希.
Now I want to upgrade my CakePhp version to 2.3.5, but I'm unable to use MD5 for the password hash.
我想知道为什么我不能在 CakePhp 2.x 中使用 MD5.?
I would like to know why I can't use MD5 in CakePhp 2.x. ?
推荐答案
不要使用 md5 作为密码
md5 不是用于散列密码的合适散列算法,请勿使用它.有很多很多参考资料可以解释原因 - 包括 php手册:
MD5、SHA1 和 SHA256 等哈希算法旨在非常快速和高效.借助现代技术和计算机设备,蛮力"这些算法的输出以确定原始输入已变得微不足道.
Why are common hashing functions such as md5() and sha1() unsuitable for passwords?
Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to "brute force" the output of these algorithms, in order to determine the original input.
由于现代计算机反转"这些散列算法的速度有多快,许多安全专家强烈建议不要使用它们进行密码散列.
Because of how quickly a modern computer can "reverse" these hashing algorithms, many security professionals strongly suggest against their use for password hashing.
如何更改默认哈希算法
您可以使用 setHash,一种推荐的哈希算法密码是河豚:
Security::setHash('blowfish');
如何处理现有密码
如果你真的想,你可以改变 setHash
使用 md5.
但这不是一个好主意.
不要为了适应旧应用程序糟糕的安全性而损害新应用程序/更新应用程序的安全性.您可以使用如下逻辑(伪代码):
Don't compromise the security of a new/updated application just to accommodate the poor security of the old one. Instead of using the same hash algoritm (and salt) as the previous application you can use logic such as the following (pseudo-ish code):
$username = $this->data['User']['username'];
$plainText = $this->data['User']['password'];
$user = current($this->User->findByUsername($username));
Security::setHash('blowfish');
$blowfished = Security::hash($plainText, 'blowfish', $user['password']);
if ($blowfished === $user['password']) {
return true; // user exists, password is correct
}
$oldSalt = Configure::read('configure.this');
$md5ed = Security::hash($plainText, 'md5', $oldSalt);
if ($md5ed === $user['password']) {
$this->User->id = $user['id'];
$blowfished = Security::hash($plainText);
$this->User->saveField('password', $blowfished);
return true; // user exists, password now updated to blowfish
}
return false; // user's password does not exist.
这种逻辑并不复杂,可以避免继续使用糟糕的哈希算法.
This kind of logic is not complex, and prevents the need to continue using a bad hash algorithm.
相关文章