gpt4 book ai didi

encryption - 向 .htpasswd 添加盐?

转载 作者:行者123 更新时间:2023-12-04 01:00:52 24 4
gpt4 key购买 nike

是否可以向 .hpasswd 文件中的密码添加盐?我假设不是,因为服务器需要为每个用户提供盐来验证密码,我想不出它是如何获取它们的,但否则如果要获取列表,它就会很容易受到攻击。有解决办法吗?

非常感谢您的帮助,

最佳答案

默认情况下,htpasswd 使用标准 crypt函数,因此密码已经加盐 - 请注意,在此示例中,两个用户都具有相同的密码,但哈希值不同:

simon@diablo:~$ htpasswd -b -c htpasswd simon abcdAdding password for user simonsimon@diablo:~$ htpasswd -b htpasswd simon2 abcdAdding password for user simon2simon@diablo:~$ cat htpasswd simon:NWvm/LCCxQ64Esimon2:2I.LBzsRqULN6

(note: the -b flag is normally discouraged because other users can see your command line arguments and hence the password)

The first two characters of the hash are the salt; passwords are verified by calling crypt() again. Entering the wrong password produces a string that's unequal to the hashed password:

>>> from crypt import crypt
>>> crypt("wrongpass", "NWvm/LCCxQ64E")
'NWbxQgX1unvso'

而正确的密码会产生预期的哈希值:
>>> crypt("abcd", "NWvm/LCCxQ64E")
'NWvm/LCCxQ64E'
htpasswd -m使用基于 MD5 的不同算法并使用更长的盐:
simon@diablo:~$ htpasswd -m -b -c htpasswd simon abcdAdding password for user simonsimon@diablo:~$ cat htpasswdsimon:$apr1$mfvnBVmG$iIHIHOaH9vcImG5G.8eVa/

Here, the salt is the 8 characters between the second and third $.

htpasswd -s stores a SHA-1 digest with no salt; this appears to be for compatibility with Netscape/LDIF:

simon@diablo:~$ htpasswd -s -b -c htpasswd simon abcdAdding password for user simonsimon@diablo:~$ htpasswd -s -b htpasswd simon2 abcdAdding password for user simon2simon@diablo:~$ cat htpasswd simon:{SHA}gf6L/odXbD7LIkJvjleEc4KRes8=simon2:{SHA}gf6L/odXbD7LIkJvjleEc4KRes8=

These can easily be reversed - convert into a hex digest:

>>> "".join("%02x" % ord(c)
... for c in "gf6L/odXbD7LIkJvjleEc4KRes8=".decode("base64"))
'81fe8bfe87576c3ecb22426f8e57847382917acf'

然后使用 online hash database .

关于encryption - 向 .htpasswd 添加盐?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/4175707/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com