Check if string is a hash

久未见 提交于 2019-12-13 17:34:18

问题


I'm using SHA-512 to hash my passwords (with a salt ofcourse). I don't think that what I want is possible, but let's ask anyway.

Is there a way to check if a string is a SHA-512 (or another algorithm) hash already?

When a user logs in, I want to do a check on his password. If it's still in plain text, it should get converted to a secure form.


回答1:


Your task is extremely simple and require no strings checking.

Just compare entered password with stored one first.
If matched - here it is, a plain password. So, you can start conversion process.




回答2:


As @zerkms already mentioned the string length is the most obvious thing you can test against. Also hashes usually are written in hexadecimal, so it only consists of the digits 0 to 9 and the characters a to f. Or as regular expression

/[0-9a-f]{64}/i



回答3:


I'm a bit confused by this question.

When a user enters his or her password on your website, you can assume that the value in $_POST['password'] (or whatever you name it) is in plain text. Even if the user is using the result of a hash function as their password, that doesn't matter, since as far as your application is concerned, it's still plain text. That is, the hashed value is the users password, no matter the steps they took to create it, as the entry of that value into the system results in access for that user. The point of hashing user-submitted passwords on the server is so that even you don't know that users password. That way, if your database is compromised, the users password isn't revealed.

Once you have the password, you retrieve that users salt and hashed password from the database. You take the submitted form, hash it with the user-specific salt, then compare it to the pre-hashed password from the database. If the hashed submission and the pre-hashed database values match, then you can assume the correct password was entered.

The only reason I can see for doing things as you describe, is if you had previously stored your passwords in plain text, and are now in the process of converting them all to hashes. In that case, you should simply assign each user a unique salt, hash their current plain-text password + salt, and store that as their new password. This conversion should occur all at once, when the "hashwords" are enabled, rather than doing it piecemeal as the users login for the first time post-transition.




回答4:


Obviously the only way to guess is to check the string length. I bet no one has so long password.




回答5:


why u want to check the hashed password during login.no user put hashed string as a password.

u must check like this

if (sha1($input_password) === 'your hased password') {
    //go ahead
}



回答6:


You can hash the user password when he/she submit the form, this require javascript ofcourse.

function myOnSubmit(aForm) {
    //Getting the password input object
    var inputPassword = aForm['password'];

    //Hashing the password before submitting
    inputPassword.value = sha512_hash(inputPassword.value);

    //Submitting
    return true;
}

Your form will be like this:

<form onsubmit="return myOnSubmit(this);">
<input type="text" name="login"><br>
<input type="password" name="password"><br>
<input type="submit" name="send">
</form>

As I know, there is no sha512 native function come with JS, so you need sha512 function, you may check this.



来源:https://stackoverflow.com/questions/5648929/check-if-string-is-a-hash

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!