在不影响当前用户的情况下更改密码结构

Question

我正在寻找一些关于更新我的密码系统的最佳实践的帮助或建议。我前一段时间使用php构建了一个登录系统（在我真的知道我在做什么之前），它所做的一切就是使用sha1加密密码，而我知道这些密码不安全或者不便于使用。

所以基本上就成功登录它是所有

$password = sha1($password1) 

我想用我一直在使用最近一个不同的方法，它是利用crypt_blowfish的功能，像这样：

function generateHash($password_1){ 
    if(defined("CRYPT_BLOWFISH") && CRYPT_BLOWFISH){ 
     //echo "WE HAVE CRYPT BLOWFISH YAYA"; 
     $salt = '$2y$11$'. substr(md5(uniqid(rand(), true)), 0, 22); 
     return crypt($password_1, $salt); 
    }//End If 
}//End Function generateHash*/ 

在注册我加密密码： $ password_1 = $ _POST ['password_1']; //哈希密码 $ password = generateHash（$ password_1）;

然后在登录我用

$hashed_password = crypt($password_1, $entered_password) 
if($hashed_password != $enter_password){ 
    $error['password'] = 'The password or username you entered is incorrect.'; 
}else{ 
    'Your Good to Go!' 
} 

我有很多的用户，并希望做出改变无缝的或至少非常少的影响到他们。这甚至有可能在没有他们注意到变化的情况下做到？任何帮助或建议，不胜感激。

感谢

Answer 1

感谢您的想法Cvetomir。所以我做的是在表中创建一个名为encrypted_pa​​ssword的新列，基本上，所有新的注册都将使用CRYPT_BLOWIFSH进行加密。

所以基本上我的解决方案（不知道它有多优雅，但它的工作原理）看看每个密码。如果输入的密码与SHA1密码匹配，则抓取该发布的密码并将其加密成新格式并将其添加到数据库中。

一旦加密密码列更新，然后我会删除旧的密码列无论如何高兴听到想法/建议，使其更好，但现在它的工作原理，在这一个很多的尝试和错误。

if(!$errors && $username == $teacher_row['username']){ 
    if($_POST['password1'] != ''){ 
     $old_password = filter_var($_POST['password1']); 
     $old_password = sha1($old_password); 
     //If the old SHA1 Password does not match anything in the database then try and match it with our new method 
     if($old_password != $teacher_row['password1']){ 
      //New Password will be the $_POST Password   
      $new_password = $_POST['password1']; 
      //Grab the new column 
      $user_password = $teacher_row['encrypted_password']; 

      //Uncrypt the password to see if they match 
      $hashed_password = crypt($new_password, $user_password); 
      //If it doesn't match throw an error    
      if($hashed_password != $user_password){ 
       $errors['username'] = 'The username or password you entered is incorrect.'; 
      }//If Hashed Password != User password 
      else{ 
       if($hashed_password == $user_password){ 
        //The New Password does match and gain your session 
        session_regenerate_id(); 
        //Create our session on session_id and hash it as well 
        $session_id = generateHash($id)      
        $_SESSION['DHL'] = $session_id; 
        $_SESSION['TIMEOUT'] = time(); 
        $_SESSION['TEACHER_ID'] = $teacher_username; 
        session_write_close(); 
       } 
      }else{    
       $encrypted_password = generateHash($_POST['password1']); 
       //Build our query 
       $sql = ("UPDATE members_teachers SET encrypted_password = ? WHERE username = ?") or die(htmlspecialchars($db_connection->error)); 
       //Prepare our query 
       $stmt = $db_connection->prepare($sql) or die ('database connection() failed: '. htmlspecialchars($db_connection->error)); 

       //Prepare our query 
       $stmt = $db_connection->prepare($sql) or die($db_connection->error); 

       //Can not proceed if we can not prepare the query 
       if(false===$stmt){ die('prepare() failed: ' . htmlspecialchars($db_connection->error)); 
       } 
       //Bind the fields and there paramters to our query in our testing variable $next_step 
       $next_step = $stmt->bind_param('ss', $new_password, $teacher_username); 
       //If next_step is false then it didn't work and there is no sense of proceeding 
       if($false===$next_step){ die('bind_param() failed: ' . htmlspecialchars($db_connection->error)); 
       } 
       //Place the Execute into a variable and test if it executed or not 
       $next_step = $stmt->execute(); 
       //If next_step is false then it didn't work and there is no sense of proceeding 
       if(false===$next_step){ die('execute() failed: ' . htmlspecialchars($db_connection->error));  
       } 
      } 
     } 
     else{ //The Old Passwords Must Match 

      $password = generateHash($_POST['password1']); 

      //$errors['username'] = 'Password Correct '.$_POST['password1'].' and '.$password.''; 

      //Build our query 
      $sql = ("UPDATE members_teachers SET encrypted_password = ? WHERE username = ?") or die(htmlspecialchars($db_connection->error)); 
      //Prepare our query 
      $stmt = $db_connection->prepare($sql) or die ('database connection() failed: '. htmlspecialchars($db_connection->error)); 

      //Prepare our query 
      $stmt = $db_connection->prepare($sql) or die($db_connection->error); 

      //Can not proceed if we can not prepare the query 
      if(false===$stmt){die('prepare() failed: ' . htmlspecialchars($db_connection->error)); 
      } 
      //Bind the fields and there paramters to our query in our testing variable $next_step 
      $next_step = $stmt->bind_param('ss', $password, $teacher_username); 
      //If next_step is false then it didn't work and there is no sense of proceeding 
      if($false===$next_step){ 
      die('bind_param() failed: ' . htmlspecialchars($db_connection->error)); 
         } 
      //Place the Execute into a variable and test if it executed or not 
      $next_step = $stmt->execute(); 
      //If next_step is false then it didn't work and there is no sense of proceeding 
      if(false===$next_step){die('execute() failed: ' . htmlspecialchars($db_connection->error)); 
       } 

      //The New Hashed password does match We are good 
      session_regenerate_id(); 
      //Create our session on session_id 
      $session_id=generateHash($dhl_id);        
      $_SESSION['DHL'] = $session_id; 
      $_SESSION['TIMEOUT'] = time(); 
      $_SESSION['TEACHER_ID'] = $teacher_username; 
      session_write_close(); 

     }//End the old Passwords do match 

    }//If password is not Blank 
    else{ 
     $errors['username'] = 'You must enter a password'; 
    } 
    } 
} 

Answer 2

您可以创建在用户表前新列。密码，newPassword
当用户登录时，您可以使用新算法对密码进行哈希处理并将其保存在newPassword列中。
经过几天重命名列newPassword作为密码