問題描述
我有一個(gè)現(xiàn)有的網(wǎng)站,使用 CakePhp 1.3 構(gòu)建.在那個(gè)網(wǎng)站上,我使用了 MD5 算法作為密碼哈希.
I have an existing website, built using CakePhp 1.3. In that website I have used MD5 algorithm for the password hash.
現(xiàn)在我想將我的 CakePhp 版本升級到 2.3.5,但我無法將 MD5 用于密碼哈希.
Now I want to upgrade my CakePhp version to 2.3.5, but I'm unable to use MD5 for the password hash.
我想知道為什么我不能在 CakePhp 2.x 中使用 MD5.?
I would like to know why I can't use MD5 in CakePhp 2.x. ?
推薦答案
不要使用 md5 作為密碼
md5 不是用于散列密碼的合適散列算法,請勿使用它.有很多很多參考資料可以解釋原因 - 包括 php手冊:
MD5、SHA1 和 SHA256 等哈希算法旨在非常快速和高效.借助現(xiàn)代技術(shù)和計(jì)算機(jī)設(shè)備,蠻力"這些算法的輸出以確定原始輸入已變得微不足道.
Why are common hashing functions such as md5() and sha1() unsuitable for passwords?
Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to "brute force" the output of these algorithms, in order to determine the original input.
由于現(xiàn)代計(jì)算機(jī)反轉(zhuǎn)"這些散列算法的速度有多快,許多安全專家強(qiáng)烈建議不要使用它們進(jìn)行密碼散列.
Because of how quickly a modern computer can "reverse" these hashing algorithms, many security professionals strongly suggest against their use for password hashing.
如何更改默認(rèn)哈希算法
您可以使用 setHash,一種推薦的哈希算法密碼是河豚:
Security::setHash('blowfish');
如何處理現(xiàn)有密碼
如果你真的想,你可以改變 setHash 使用 md5.
但這不是一個(gè)好主意.
不要為了適應(yīng)舊應(yīng)用程序糟糕的安全性而損害新應(yīng)用程序/更新應(yīng)用程序的安全性.您可以使用如下邏輯(偽代碼):
Don't compromise the security of a new/updated application just to accommodate the poor security of the old one. Instead of using the same hash algoritm (and salt) as the previous application you can use logic such as the following (pseudo-ish code):
$username = $this->data['User']['username'];
$plainText = $this->data['User']['password'];
$user = current($this->User->findByUsername($username));
Security::setHash('blowfish');
$blowfished = Security::hash($plainText, 'blowfish', $user['password']);
if ($blowfished === $user['password']) {
return true; // user exists, password is correct
}
$oldSalt = Configure::read('configure.this');
$md5ed = Security::hash($plainText, 'md5', $oldSalt);
if ($md5ed === $user['password']) {
$this->User->id = $user['id'];
$blowfished = Security::hash($plainText);
$this->User->saveField('password', $blowfished);
return true; // user exists, password now updated to blowfish
}
return false; // user's password does not exist.
這種邏輯并不復(fù)雜,可以避免繼續(xù)使用糟糕的哈希算法.
This kind of logic is not complex, and prevents the need to continue using a bad hash algorithm.
這篇關(guān)于在 Cakephp 2.x 的 Auth 組件中使用 Md5 進(jìn)行密碼哈希的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網(wǎng)!