0

我有一个 vBulletin 数据库,我正在尝试将用户切换到自定义系统,我已经转换了用户名和密码,然后我将双 MD5 密码转换为 SHA256,但我还有一个问题,这是盐。

转换旧的 vBulletin salt 或检查密码是否正确,然后在他们第一次登录时生成新的 salt 最简单的方法是什么?

检查脚本:

$vbconvert = md5(md5($_POST["password"]));
$check_password = hash('sha256', $vbconvert . $row['salt']); 
for($round = 0; $round < 65536; $round++) 
{ 
      $check_password = hash('sha256', $check_password . $row['salt']); 
} 

if($check_password === $row['password']) 
{ 

      $login_ok = true; 
}

简而言之,转换或创建新盐的最简单方法是什么?

4

1 回答 1

0

Do you know about the PHP function password_hash(), it is the recommended way to hash passwords. It automatically generates a cryptographically safe salt for each password and includes it in the resulting 60-character string.

$2y$10$nOUIs5kJ7naTuTFkBy1veuK0kSxUFXfuaOKdOKf9xYT0KKIGSJwFa

The example above is a possible result of password_hash(), have a look at the part $nOUIs5kJ7naTuTFkBy1veu, this is the generated salt and it will be used by the function password_verify() to check the password.

You won't have to worry about the salt anymore, no additional database field is necessary, just store the hash and you are fine!

The easiest way to migrate your passwords, is to wait for the user to login the next time. When he enters the password, you can check if the hash is already migrated, then check with password_verify(). If it is not yet migrated then check it with your old vBulletin code, if the password is correct then use password_hash() to generate a new hash and store it.

于 2013-10-30T12:07:54.510 回答