How to decrypt the next snippet?
如何解密下一个片段?
crypto.createHash('md5').update(password).digest('hex');
I tried to use http://lollyrock.com/articles/nodejs-encryption/ but it wont work.
我试图使用http://lollyrock.com/articles/nodejs-encryption/但它不会工作。
1 个解决方案
#1
2
Your code shows a very weak password hash approach. I recommend you look into bcrypt as your hashing algorithm instead.
您的代码显示了一个非常弱的密码哈希方法。我建议您将bcrypt视为您的哈希算法。
However, the usual way to match passwords securely applies to most hash approaches (whether you use MD5 or another). You don't decrypt, instead you store the hashed password, and when a user enters a password, you verify it is correct by hashing the password they just entered and comparing with the value stored when they registered or set their password:
但是,匹配密码的常用方法安全地适用于大多数哈希方法(无论您使用MD5还是其他方法)。您不解密,而是存储散列密码,当用户输入密码时,您通过散列他们刚输入的密码并与他们注册或存储密码时存储的值进行比较来验证它是否正确:
var existing_hashed_password = // fetched from storage
var login_attempt_hashed = crypto.createHash('md5').update(password).digest('hex');
if ( login_attempt_hashed === existing_hashed_password ) {
// Successful login
} else {
// Unsuccessful login
}
If you use a salt (which you should), then this becomes slightly more complex as you must apply the same salt to the new login attempt too. Most authentication libraries will have a function to do that for you.
如果您使用盐(您应该使用),那么这会变得稍微复杂一些,因为您必须将相同的盐应用于新的登录尝试。大多数身份验证库都具有为您执行此操作的功能。
#1
2
Your code shows a very weak password hash approach. I recommend you look into bcrypt as your hashing algorithm instead.
您的代码显示了一个非常弱的密码哈希方法。我建议您将bcrypt视为您的哈希算法。
However, the usual way to match passwords securely applies to most hash approaches (whether you use MD5 or another). You don't decrypt, instead you store the hashed password, and when a user enters a password, you verify it is correct by hashing the password they just entered and comparing with the value stored when they registered or set their password:
但是,匹配密码的常用方法安全地适用于大多数哈希方法(无论您使用MD5还是其他方法)。您不解密,而是存储散列密码,当用户输入密码时,您通过散列他们刚输入的密码并与他们注册或存储密码时存储的值进行比较来验证它是否正确:
var existing_hashed_password = // fetched from storage
var login_attempt_hashed = crypto.createHash('md5').update(password).digest('hex');
if ( login_attempt_hashed === existing_hashed_password ) {
// Successful login
} else {
// Unsuccessful login
}
If you use a salt (which you should), then this becomes slightly more complex as you must apply the same salt to the new login attempt too. Most authentication libraries will have a function to do that for you.
如果您使用盐(您应该使用),那么这会变得稍微复杂一些,因为您必须将相同的盐应用于新的登录尝试。大多数身份验证库都具有为您执行此操作的功能。