dcc*_*ics 5 php hash crypt salt
我有一个使用crypt()的问题,如果用户有密码(本例中为password1),并且将其更改为password2,则哈希返回相同的结果.您可以在此处测试:OLD LINK 键入password1作为当前密码,password2作为新密码并确认密码,您将看到结果.如果输入完全不相似的密码,则没有问题.我知道还有其他方法可以使用哈希密码等.我比任何事都更好奇.我的代码如下:
<?php
$oldpassword="password1";
echo "<form method=\"post\">
<p>Enter Current Password: <input type=\"password\" name=\"currentpassword\" /></p>
<p>Enter New Password: <input type=\"password\" name=\"password\" /></p>
<p>Confirm New Password: <input type=\"password\" name=\"confirmpassword\" /></p>
<p><input type=\"submit\" value=\"Change Password\"></p>
</form>";
$user_id = $_SESSION['user_id'];
$pass=$_POST['password'];
$salt = 'xxxxx';
$currentpassword = crypt($_POST['currentpassword'], $salt);
$oldpassword = crypt($oldpassword, $salt);
if(isset($_POST['password'])) {
if ($currentpassword !== $oldpassword) {
echo "The password you entered for current password does not match our records.";
}
else {
if ($_POST['password'] && $_POST['confirmpassword']) {
if ($_POST['password'] == $_POST['confirmpassword']) {
$hash = crypt($pass, $salt);
if ($hash == $currentpassword) {
echo "Current Password: ";
var_dump($_POST['currentpassword']);
echo "<br/>";
echo "New Password: ";
var_dump($_POST['password']);
echo "<br/>";
echo "New Hash: ";
var_dump($hash);
echo "<br/>";
echo "Current Password Hash: ";
var_dump($currentpassword);
echo "<br/>";
echo "<hr/>";
echo "Your new password cannot be the same as your current password.";
}
else {
echo "Your password has been changed successfully<br/>";
}
} else {
echo "Your passwords do not match. Please try again.";
}
}
}
}
?>
dev*_*ler 13
要使用地穴,你必须提供适当的盐.每种算法都有自己的盐格式.我的猜测是你使用很少的随机字符作为盐,这与任何高级算法都不匹配,因此php将你的盐减少到前2个字符并回退到基本DES算法.DES算法散列最多8个字符和两个password1和password29个字符长,所以只password从两个所使用的,因此相同的散列.
解决方案:使用适当的salt格式获得最强的可用算法,为每个密码生成随机盐
推荐的解决方案:https://github.com/ircmaxell/password_compat(适用于php 5.3.7 - 5.4.x)和切换到php 5.5之后:http://php.net/password_hash