在不影響當前用戶的情況下更改密碼結構

Question

我正在尋找一些關於更新我的密碼系統的最佳實踐的幫助或建議。我前一段時間使用php構建了一個登錄系統（在我真的知道我在做什麼之前），它所做的一切就是使用sha1加密密碼，而我知道這些密碼不安全或者不便於使用。

所以基本上就成功登錄它是所有

$password = sha1($password1) 

我想用我一直在使用最近一個不同的方法，它是利用crypt_blowfish的功能，像這樣：

function generateHash($password_1){ 
    if(defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH){ 
     //echo "WE HAVE CRYPT BLOWFISH YAYA"; 
     $salt = '$2y$11$'. substr(md5(uniqid(rand(), true)), 0, 22); 
     return crypt($password_1, $salt); 
    }//End If 
}//End Function generateHash*/ 

在註冊我加密密碼： $ password_1 = $ _POST ['password_1']; //哈希密碼 $ password = generateHash（$ password_1）;

然後在登錄我用

$hashed_password = crypt($password_1, $entered_password) 
if($hashed_password != $enter_password){ 
    $error['password'] = 'The password or username you entered is incorrect.'; 
}else{ 
    'Your Good to Go!' 
} 

我有很多的用戶，並希望做出改變無縫的或至少非常少的影響到他們。這甚至有可能在沒有他們注意到變化的情況下做到？任何幫助或建議，不勝感激。

感謝

Answer 1

感謝您的想法Cvetomir。所以我做的是在表中創建一個名爲encrypted_pa​​ssword的新列，基本上，所有新的註冊都將使用CRYPT_BLOWIFSH進行加密。

所以基本上我的解決方案（不知道它有多優雅，但它的工作原理）看看每個密碼。如果輸入的密碼與SHA1密碼匹配，則抓取該發佈的密碼並將其加密成新格式並將其添加到數據庫中。

一旦加密密碼列更新，然後我會刪除舊的密碼列無論如何高興聽到想法/建議，使其更好，但現在它的工作原理，在這一個很多的嘗試和錯誤。

if(!$errors && $username == $teacher_row['username']){ 
    if($_POST['password1'] != ''){ 
     $old_password = filter_var($_POST['password1']); 
     $old_password = sha1($old_password); 
     //If the old SHA1 Password does not match anything in the database then try and match it with our new method 
     if($old_password != $teacher_row['password1']){ 
      //New Password will be the $_POST Password   
      $new_password = $_POST['password1']; 
      //Grab the new column 
      $user_password = $teacher_row['encrypted_password']; 

      //Uncrypt the password to see if they match 
      $hashed_password = crypt($new_password, $user_password); 
      //If it doesn't match throw an error    
      if($hashed_password != $user_password){ 
       $errors['username'] = 'The username or password you entered is incorrect.'; 
      }//If Hashed Password != User password 
      else{ 
       if($hashed_password == $user_password){ 
        //The New Password does match and gain your session 
        session_regenerate_id(); 
        //Create our session on session_id and hash it as well 
        $session_id = generateHash($id)      
        $_SESSION['DHL'] = $session_id; 
        $_SESSION['TIMEOUT'] = time(); 
        $_SESSION['TEACHER_ID'] = $teacher_username; 
        session_write_close(); 
       } 
      }else{    
       $encrypted_password = generateHash($_POST['password1']); 
       //Build our query 
       $sql = ("UPDATE members_teachers SET encrypted_password = ? WHERE username = ?") or die(htmlspecialchars($db_connection->error)); 
       //Prepare our query 
       $stmt = $db_connection->prepare($sql) or die ('database connection() failed: '. htmlspecialchars($db_connection->error)); 

       //Prepare our query 
       $stmt = $db_connection->prepare($sql) or die($db_connection->error); 

       //Can not proceed if we can not prepare the query 
       if(false===$stmt){ die('prepare() failed: ' . htmlspecialchars($db_connection->error)); 
       } 
       //Bind the fields and there paramters to our query in our testing variable $next_step 
       $next_step = $stmt->bind_param('ss', $new_password, $teacher_username); 
       //If next_step is false then it didn't work and there is no sense of proceeding 
       if($false===$next_step){ die('bind_param() failed: ' . htmlspecialchars($db_connection->error)); 
       } 
       //Place the Execute into a variable and test if it executed or not 
       $next_step = $stmt->execute(); 
       //If next_step is false then it didn't work and there is no sense of proceeding 
       if(false===$next_step){ die('execute() failed: ' . htmlspecialchars($db_connection->error));  
       } 
      } 
     } 
     else{ //The Old Passwords Must Match 

      $password = generateHash($_POST['password1']); 

      //$errors['username'] = 'Password Correct '.$_POST['password1'].' and '.$password.''; 

      //Build our query 
      $sql = ("UPDATE members_teachers SET encrypted_password = ? WHERE username = ?") or die(htmlspecialchars($db_connection->error)); 
      //Prepare our query 
      $stmt = $db_connection->prepare($sql) or die ('database connection() failed: '. htmlspecialchars($db_connection->error)); 

      //Prepare our query 
      $stmt = $db_connection->prepare($sql) or die($db_connection->error); 

      //Can not proceed if we can not prepare the query 
      if(false===$stmt){die('prepare() failed: ' . htmlspecialchars($db_connection->error)); 
      } 
      //Bind the fields and there paramters to our query in our testing variable $next_step 
      $next_step = $stmt->bind_param('ss', $password, $teacher_username); 
      //If next_step is false then it didn't work and there is no sense of proceeding 
      if($false===$next_step){ 
      die('bind_param() failed: ' . htmlspecialchars($db_connection->error)); 
         } 
      //Place the Execute into a variable and test if it executed or not 
      $next_step = $stmt->execute(); 
      //If next_step is false then it didn't work and there is no sense of proceeding 
      if(false===$next_step){die('execute() failed: ' . htmlspecialchars($db_connection->error)); 
       } 

      //The New Hashed password does match We are good 
      session_regenerate_id(); 
      //Create our session on session_id 
      $session_id=generateHash($dhl_id);        
      $_SESSION['DHL'] = $session_id; 
      $_SESSION['TIMEOUT'] = time(); 
      $_SESSION['TEACHER_ID'] = $teacher_username; 
      session_write_close(); 

     }//End the old Passwords do match 

    }//If password is not Blank 
    else{ 
     $errors['username'] = 'You must enter a password'; 
    } 
    } 
} 

Answer 2

您可以創建在用戶表前新列。密碼，newPassword
當用戶登錄時，您可以使用新算法對密碼進行哈希處理並將其保存在newPassword列中。
經過幾天重命名列newPassword作爲密碼