Drupal 7 password hash

2019-04-02 04:38发布

问题:

I have a bit of a dilemma here. I have a drupal 7 database table of users, with corresponding passwords. All these passwords have been naturally encrypted. My assumption is that these are MD5 hashes, but not quite.

The challenge here is that, we are utilizing the same set of users in a companion website that uses similar credentials but a different technology [please don't blame me for this, I a mere pawn].

Now if I knew how Drupal goes about encrypting its passwords, maybe I could decrypt them and apply the same in my backend logic?

回答1:

Note that these passwords are hashed, not encrypted. The fundamental difference between hashing and encryption is that with encryption you would be able to recover the original password. You won't be able to do that when they are hashed (not without a lot of effort), and that's by design.

Think of hash browns: if you've made a hash brown, you won't be able to get the original potatoes back. This is done so that if a hacker compromises your system and gains access to the database, they won't be able to see or recover the original passwords.

So how does one check if the user entered the correct password? Well, when the user tries to log in and enters a password, you apply the same functions to the user input and see if the output is the same thing as what's stored in the database. Since hashing functions are deterministic, you'll always get the same output with the same input.

The key to getting multiple applications to work with the same hashes is have them use the same functions on the passwords when attempting to authenticate a user. Drupal probably also uses one or more salts - but that's not important. As long as the same logic is used by your applications, the hashes will be always fully compatible.

Suppose Drupal uses something like this as its authentication system (very simplified pseudo-ish code):

/*
    input: user-entered $username and $password
    output: true if authorized, false otherwise
*/
function auth($username, $password) 
{
    $salt = 'some random salt';

    // input is sanitized somewhere, somehow
    $hash_from_db = db_result('SELECT hash FROM users WHERE username = "$username"');
    $hashed_input = sha1($password . $salt);

    if ($hash_from_db != $hashed_input)
        return false;
    else
        return true; 
}

If your other application uses the exact same thing to authenticate its users, it will work fine. Note that Drupal's authentication scheme will probably be a lot more complex, but don't let that faze you. It's just about doing the same thing Drupal does.


For Drupal, here's where you can start: user_hash_password().



回答2:

You can use drupal method to check the Plain text password is valid or not for this user_check_password($password, $account) in includes/password.inc.