问题标签 [password-storage]
For questions regarding programming in ECMAScript (JavaScript/JS) and its various dialects/implementations (excluding ActionScript). Note JavaScript is NOT the same as Java! Please include all relevant tags on your question; e.g., [node.js], [jquery], [json], [reactjs], [angular], [ember.js], [vue.js], [typescript], [svelte], etc.
passwords - hybris 如何存储密码哈希
TLDR:在将密码哈希存储到数据库之前,Hybris 如何处理它们?因为数据库字段中的值不是标准密码哈希。
我必须在上面添加TLDR,因为两个用户发布的答案表明他们没有阅读(或理解)这个问题。
我正在使用 Hybris 1905。当我在后台设置用户密码时,我可以选择散列算法的类型,包括 MD5、SHA-256 和其他一些算法。然而,存储在数据库中的密码值显然不是算法的简单哈希。例如,这里是密码的散列test1234,具有各种散列算法:
- 盐渍MD5:
1:Gtjd5QVM/t0HLT5PvZCU4g==s9B8Vw/BIkzixwzMzueRR1R6WY9y8Fq9BqFqwGIuY2fGK+KFYSXjNf5G0fbAlb9u - SHA-256:
1:etvHTnwzMfX/DnbNPhmQBA==8jq6sLLcb/PrIhVB9D+YA61L2mr0dlBYr/84G/K9Kzqe4gpvPF10ja8RaIE94b3A+joszlMutGrHezDs871A/8Yr4oVhJeM1/kbR9sCVv24= - SHA-512:
1:ZSaQW0C+r/NMVwRRVTCm9w==4qQJdmvU4PE02ipY0Mvkp2sb+bMuMHTiMIVE2m6NESzv2BEFG2O1MIjkzFUES6f7jzoVOEuVmd/E8mqOUoogbL9rpkOPmeMEj5EpB2iued3UAouLvv6PuUCyFJGJdoRsZJzwO2Lj30iokY4RsG0OKXYuGdUjNYU7X1AUggH+eWfGK+KFYSXjNf5G0fbAlb9u - PBKDF2 (HMAC-SHA1):
1:HIKWvUwTA/pVC9mXzl9qgw==NOsr8pkNUIbEGoiWFa5oArnlEfZNALK0cuczK7dxtxHbDTby+7w3ml1pf8HNmXjalq1A/tSvlb+gwZMRS4Q7ncMhU5w1b6HwV+BGEBG9ecqahzUOK7mNZrLbh9t50M0mRr2AVQJnn7bfvdJ5E3C4UPdoN44v1mAgIuC/9RKTnhj/1BhjHqKf1pozhFfoBz8FdSxBQMmKY91/c4VzkinqiSy5wkaWjOSQQuAN9ZoWmvw= - BCrypt:
1:GL1kPl93Nx4RjOymIhC1Kw==Xh9ZddGPIxUqpipcEvJ+bRHApEyWVPkXtxPlsYgzokUo4ktC/vh4weA6hrMEebtQC/OttaVzG3+9tUCHxFHCcw==
显然,这是 Hybris 在所选散列算法之上的某种编码——但它是什么?它是编码(即可以解码)还是散列?
我需要将一个大型用户数据库从另一个平台迁移到这个 Hybris 安装。我有想要导入的现有用户名和相应的散列密码。这些是标准的 bcrypt 哈希,所以相同的test1234字符串会有 hash $2y$16$mK9cm.pwOp8ve9oH0VqkT.123HGy/RHYLcd1GB.N5zEqBylV.22wm。然而,我很难理解如何将此哈希导入 Hybris 用户表。
cryptography - 保存使用用户密码加密的私钥是否比在数据库中存储哈希更安全?
存储由用户密码加密的客户端生成的私钥是否比存储密码的哈希更安全?(加密部分是在客户端完成的,它将被发送到服务器,用户密码不会被发送到服务器)
javascript - 应用 PasswordStrengthBar 后,我应该如何检查密码是弱密码还是好密码?
我正在使用PasswordStrengthBar import PasswordStrengthBar from 'react-password-strength-bar';
https://www.npmjs.com/package/react-password-strength-bar
我想在单击确认按钮并且密码很弱时显示一条消息.. 我应该如何检查密码是弱密码还是好密码?
python - Python Doesn't Derive Same Hashkey For a given password and salt as Keycloak or Online Password Hashers
My use-case is that I need to migrate some passwords from Keycloak to Django. My sample password on Keycloak is 'qwerty123'. The Corresponding Hash Generated In Keycloak DB is this:
However, if I paste this directly into the DB in the format specified by Django's Password Hashers, i.e,
I get a password mismatch error. I tried to retrace the password hasher in Python, and found that it is generating a different hash from the one that I am inserting. I did:
And The Output I got here was:
I also tried recreating the django password hasher code:
Output for which is:
Which is nowhere even close to the hash that Keycloak generated, can someone tell me what mistake am I making exactly? Any help will be appreciated.
I tried to check if Keycloak was doing some post processing before storing into the DB, so I checked this hash on 8gwifi.org . And it generates a hash identical to the one stored on Keycloak. So Python should also be able to arrive at the same hash. Screenshot From 8gwifi
