Hash x = y
x 可变长度的字符串
Y 固定长度的字符串
- 相同的密码, 不同的机密结果
# htpasswd -n aaa
New password:
Re-type new password:
aaa:5mySuhNnScwZA
# htpasswd -n aaa
New password:
Re-type new password:
aaa:h3bCW5mWiIWxQ
>>> from crypt import crypt
>>>
>>> crypt(“wrongpass”, “h3bCW5mWiIWxQ”)
‘h3eLrFx7uckuw’
>>> crypt(“111″, “h3bCW5mWiIWxQ“)
‘h3bCW5mWiIWxQ‘
>>> crypt(“111″, “5mySuhNnScwZA“)
‘5mySuhNnScwZA‘
只要红色的部分一致就可以了.
- htpasswd -s 不安全.
htpasswd -s stores a SHA-1 digest with no salt; this appears to be for compatibility with Netscape/LDIF:
simon@diablo:~$ htpasswd -s -b -c htpasswd simon abcd
Adding password for user simon
simon@diablo:~$ htpasswd -s -b htpasswd simon2 abcd
Adding password for user simon2
simon@diablo:~$ cat htpasswd
simon:{SHA}gf6L/odXbD7LIkJvjleEc4KRes8=
simon2:{SHA}gf6L/odXbD7LIkJvjleEc4KRes8=
These can easily be reversed – convert into a hex digest:
>>> "".join("%02x" % ord(c) ... for c in "gf6L/odXbD7LIkJvjleEc4KRes8=".decode("base64"))
'81fe8bfe87576c3ecb22426f8e57847382917acf' then use an online hash database