I am trying to figure out what is the security that Drupal 6/7 uses by default to store passwords. Is it MD5, AES, SHA? I have been unable to find anything.
我想弄清楚Drupal 6/7默认使用什么安全性来存储密码。是MD5, AES, SHA吗?我找不到任何东西。
5 个解决方案
#1
65
Drupal 8 and Drupal 7 use SHA512 by default with a salt. They run the hash through PHP's hash function numerous times to increase the computation cost of generating a password's final hash (a security technique called stretching).
Drupal 8和drupal7默认使用SHA512。他们多次使用PHP的哈希函数来运行哈希函数,以增加生成密码的最终哈希(一种称为拉伸的安全技术)的计算成本。
With Drupal 8, the implementation is object oriented. There is a PasswordInterface which defines a hash method. The default implementation of that interface is in the PhpassHashedPassword class. That class' hash method calls the crypt method passing in SHA512 as the hashing algorithm, a password, and a generated salt. The class' crypt method is nearly the same as Drupal 7's _password_crypt() method.
使用Drupal 8,实现是面向对象的。有一个密码接口定义一个散列方法。该接口的默认实现位于PhpassHashedPassword类中。该类的哈希方法调用crypt方法,将SHA512作为哈希算法、密码和生成的salt传入。类的crypt方法与Drupal 7的_password_crypt()方法几乎相同。
With Drupal 7, the implementation is split into a couple global functions: user_hash_password() and _password_crypt().
使用drupal7,实现被分割成两个全局函数:user_hash_password()和_password_crypt()。
Drupal 6 uses MD5 without a salt. The relevant function is user_save().
Drupal 6使用MD5而不加盐。相关的函数是user_save()。
#2
27
Here is an example hash from Drupal 7:
下面是Drupal 7中的一个示例散列:
-
"pass" : "$S$Dxl65W9p07LfQU7jvy5CnsyDpMoLujiAgzy123khcg1OJi/P9pKS"
“通过”:“年代Dxl65W9p07LfQU7jvy5CnsyDpMoLujiAgzy123khcg1OJi美元/ P9pKS”
-
The characters 0-2 are the type ( $S$ is Drupal 7 )
字符0-2是类型($S$是Drupal 7)
- The character 3 is the number of log2 rounds (X) based on the position of the char in this list: './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' So in our example 'D' would map to 15
- 字符3是log2轮(X)的数量,基于此列表中char的位置:'。/ 0123456789abcdefiklmnopqrstuvxyzabcdefjklmnopqrstuvxyz '所以在我们的示例中,D将映射到15
- The characters 4-11 are the SALT
- 4-11是盐
- The rest is a SHA512 hash using 2^X rounds.
- 其余的是使用2 ^ X轮SHA512散列。
-
The binary result is then converted to a string using base64.
然后使用base64将二进制结果转换为字符串。
$count = 1 << $count_log2;
$hash = hash($algo, $salt . $password, TRUE);
do { $hash = hash($algo, $hash . $password, TRUE);
} while (--$count);$count = 1 < $count_log2;$hash = hash($algo, $salt)美元的密码,真实);执行{$hash = hash($algo, $hash)。美元的密码,真实);},(——美元数);
The whole process can be found in: mydrupalsite\includes\password.inc
整个过程可以在:mydrupalsite\包括\password.inc中找到
#3
10
It can be checked inside www\includes\password.inc
可以在www\includes\password.inc中查询
function user_check_password($password, $account) {
if (substr($account->pass, 0, 2) == 'U$') {
// This may be an updated password from user_update_7000(). Such hashes
// have 'U' added as the first character and need an extra md5().
$stored_hash = substr($account->pass, 1);
$password = md5($password);
}
else {
$stored_hash = $account->pass;
}
$type = substr($stored_hash, 0, 3);
switch ($type) {
case '$S$':
// A normal Drupal 7 password using sha512.
$hash = _password_crypt('sha512', $password, $stored_hash);
break;
case '$H$':
// phpBB3 uses "$H$" for the same thing as "$P$".
case '$P$':
// A phpass password generated using md5. This is an
// imported password or from an earlier Drupal version.
$hash = _password_crypt('md5', $password, $stored_hash);
break;
default:
return FALSE;
}
return ($hash && $stored_hash == $hash);
}
Its been clearly written that "// A normal Drupal 7 password using sha512."
很明显,“//一个普通的Drupal 7密码使用sha512。”
#4
5
It's MD5 and as I understand it, there isn't any salting used. Edit - that's drupal 6. For drupal 7 some more advanced hashing is used. A good article on it here - http://joncave.co.uk/2011/01/password-storage-in-drupal-and-wordpress/
这是MD5,据我所知,没有使用任何盐。这是drupal 6。对于drupal 7,使用了一些更高级的哈希。这里有一篇很好的文章——http://joncave.co./2011/01/passwordstorage -in drupal- wordpress/
#5
0
drupal 8 is using Phpass (modified version)
drupal 8使用Phpass(修改后的版本)
drupal 7 use SHA-512 + salt
drupal 7使用SHA-512 + salt
drupal 6 and previous version were using md5 with no salt
drupal 6和以前的版本使用的是无盐的md5
#1
65
Drupal 8 and Drupal 7 use SHA512 by default with a salt. They run the hash through PHP's hash function numerous times to increase the computation cost of generating a password's final hash (a security technique called stretching).
Drupal 8和drupal7默认使用SHA512。他们多次使用PHP的哈希函数来运行哈希函数,以增加生成密码的最终哈希(一种称为拉伸的安全技术)的计算成本。
With Drupal 8, the implementation is object oriented. There is a PasswordInterface which defines a hash method. The default implementation of that interface is in the PhpassHashedPassword class. That class' hash method calls the crypt method passing in SHA512 as the hashing algorithm, a password, and a generated salt. The class' crypt method is nearly the same as Drupal 7's _password_crypt() method.
使用Drupal 8,实现是面向对象的。有一个密码接口定义一个散列方法。该接口的默认实现位于PhpassHashedPassword类中。该类的哈希方法调用crypt方法,将SHA512作为哈希算法、密码和生成的salt传入。类的crypt方法与Drupal 7的_password_crypt()方法几乎相同。
With Drupal 7, the implementation is split into a couple global functions: user_hash_password() and _password_crypt().
使用drupal7,实现被分割成两个全局函数:user_hash_password()和_password_crypt()。
Drupal 6 uses MD5 without a salt. The relevant function is user_save().
Drupal 6使用MD5而不加盐。相关的函数是user_save()。
#2
27
Here is an example hash from Drupal 7:
下面是Drupal 7中的一个示例散列:
-
"pass" : "$S$Dxl65W9p07LfQU7jvy5CnsyDpMoLujiAgzy123khcg1OJi/P9pKS"
“通过”:“年代Dxl65W9p07LfQU7jvy5CnsyDpMoLujiAgzy123khcg1OJi美元/ P9pKS”
-
The characters 0-2 are the type ( $S$ is Drupal 7 )
字符0-2是类型($S$是Drupal 7)
- The character 3 is the number of log2 rounds (X) based on the position of the char in this list: './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' So in our example 'D' would map to 15
- 字符3是log2轮(X)的数量,基于此列表中char的位置:'。/ 0123456789abcdefiklmnopqrstuvxyzabcdefjklmnopqrstuvxyz '所以在我们的示例中,D将映射到15
- The characters 4-11 are the SALT
- 4-11是盐
- The rest is a SHA512 hash using 2^X rounds.
- 其余的是使用2 ^ X轮SHA512散列。
-
The binary result is then converted to a string using base64.
然后使用base64将二进制结果转换为字符串。
$count = 1 << $count_log2;
$hash = hash($algo, $salt . $password, TRUE);
do { $hash = hash($algo, $hash . $password, TRUE);
} while (--$count);$count = 1 < $count_log2;$hash = hash($algo, $salt)美元的密码,真实);执行{$hash = hash($algo, $hash)。美元的密码,真实);},(——美元数);
The whole process can be found in: mydrupalsite\includes\password.inc
整个过程可以在:mydrupalsite\包括\password.inc中找到
#3
10
It can be checked inside www\includes\password.inc
可以在www\includes\password.inc中查询
function user_check_password($password, $account) {
if (substr($account->pass, 0, 2) == 'U$') {
// This may be an updated password from user_update_7000(). Such hashes
// have 'U' added as the first character and need an extra md5().
$stored_hash = substr($account->pass, 1);
$password = md5($password);
}
else {
$stored_hash = $account->pass;
}
$type = substr($stored_hash, 0, 3);
switch ($type) {
case '$S$':
// A normal Drupal 7 password using sha512.
$hash = _password_crypt('sha512', $password, $stored_hash);
break;
case '$H$':
// phpBB3 uses "$H$" for the same thing as "$P$".
case '$P$':
// A phpass password generated using md5. This is an
// imported password or from an earlier Drupal version.
$hash = _password_crypt('md5', $password, $stored_hash);
break;
default:
return FALSE;
}
return ($hash && $stored_hash == $hash);
}
Its been clearly written that "// A normal Drupal 7 password using sha512."
很明显,“//一个普通的Drupal 7密码使用sha512。”
#4
5
It's MD5 and as I understand it, there isn't any salting used. Edit - that's drupal 6. For drupal 7 some more advanced hashing is used. A good article on it here - http://joncave.co.uk/2011/01/password-storage-in-drupal-and-wordpress/
这是MD5,据我所知,没有使用任何盐。这是drupal 6。对于drupal 7,使用了一些更高级的哈希。这里有一篇很好的文章——http://joncave.co./2011/01/passwordstorage -in drupal- wordpress/
#5
0
drupal 8 is using Phpass (modified version)
drupal 8使用Phpass(修改后的版本)
drupal 7 use SHA-512 + salt
drupal 7使用SHA-512 + salt
drupal 6 and previous version were using md5 with no salt
drupal 6和以前的版本使用的是无盐的md5