发表新帖
发表新帖

How do I convert password hashing from MD5 to SHA?

前端 未结
关注
7 682
谎友^
谎友^ 2020-12-29 08:06

I\'ve got an old application that has user passwords stored in the database with an MD5 hash. I\'d like to replace this with something in the SHA-2 family.

I\'ve tho

相关标签:
7条回答
  • 轮回少年
    2020-12-29 08:23

    I think you've already got the best possibilities. I like #1 more than #2, since there's no use for the md5 once the sha is set.

    There's no way to reverse the MD5, so you have to wait for the user to authenticate again to create a new hash.

    0 讨论(0)
  • 夕颜
    2020-12-29 08:26

    You can convert all your MD5 Strings to SHA1 by rehashing them in your DB if you create your future passwords by first MD5ing them. Checking the passwords requires MD5ing them first also, but i dont think thats a big hit.

    php-code (login):

    prev: $login = (md5($password) == $storedMd5PasswordHash);

    after: $login = (sha1(md5($password)) == $storedSha1PasswordHash);

    Works also with salting, got the initial idea from here.

    0 讨论(0)
  • 佛祖请我去吃肉
    2020-12-29 08:27

    Essentially the same, but maybe more elegant than adding extra fields: In the default authentication framwork in Django, the password hashes are stored as strings constructed like this:

    hashtype$salt$hash

    Hashtype is either sha1 or md5, salt is a random string used to salt the raw password and at last comes the hash itself. Example value:

    sha1$a1976$a36cc8cbf81742a8fb52e221aaeab48ed7f58ab4
    0 讨论(0)
  • 死守一世寂寞
    2020-12-29 08:39

    No - basically you'll have to keep the MD5 in place until all the users you care about have been converted. That's just the nature of hashing - you don't have enough information to perform the conversion again.

    Another option in-keeping with the others would be to make the password field effectively self-describing, e.g.

    MD5:(md5 hash)
SHA:(sha hash)

    You could then easily detect which algorithm to use for comparison, and avoid having two fields. Again, you'd overwrite the MD5 with SHA as you went along.

    You'd want to do an initial update to make all current passwords declare themselves as MD5.

    0 讨论(0)
  • 隐瞒了意图╮
    2020-12-29 08:42

    If the MD5's aren't salted you can always use a decryption site/rainbow tables such as: http://passcracking.com/index.php to get the passwords. Probably easier to just use the re-encode method though.

    0 讨论(0)
  • 被撕碎了的回忆
    2020-12-29 08:47

    Your second suggestion sounds the best to me. That way frequent users will have a more secure experience in the future.

    The first effectively "quirks-mode"'s your codebase and only makes sure that new users have the better SHA experience.

    0 讨论(0)
 看不清?
提交回复
热议问题