用户名,密码,加盐,加密,哈希-如何全部工作? [英] Username, Password, Salting, Encrypting, Hash - How does it all work?
问题描述
可能重复:
保护PHP密码的哈希值和盐值
Possible Duplicate:
Secure hash and salt for PHP passwords
我在stackoverflow和其他网站上都读了很多有关Web安全的文章.例如加盐加密等.我有点不明白,所以简单的解释将非常有帮助.
Iv'e read a lot of posts both in stackoverflow and other websites talking about web security. Such as salting encrypting etc. And I'm kinda not getting it so a simple explanation would be really helpful.
所以这是我到目前为止所知道的.用户使用用户名和密码登录.输入然后经过一个过程.假设用户名和密码是组合在一起的,例如:
So here's what I know so far. A user logs in types his username and password. The input then goes through a process. Lets say the username and password is combined like for example:
$username = (USERS USERNAME INPUT);
$password = (USERS PASSWORD INPUT);
$userinput = $username . $password;
然后我们加一些盐.
$salt1 = "13$13aVc!kd";
$salt2 = "4kr$!vlmeoc";
$salted = $salt1 . $userinput . $salt2;
然后我们对其进行加密.
Then we encrypt it.
$encrypted = encrypt($salted);
然后检查数据库,以及数据库的正确用户是否登录.
Then check with the database and if its right user gets logged in.
这是正确的方法吗?但是我读到有关暴力攻击的信息.它猜输入值正确吗?通过以上步骤.难道不是表明攻击者只需要正确获取$ userinput信息即可进入吗?他不需要猜测较长的$ encrypted字符串正确吗?
That's how it works right? But Iv'e read about brute force attack. It guesses the input values right? With the procedure above. Doesn't it shows that the attacker only needs to get the $userinput information correct to get in? He doesn't need to guess the long $encrypted string correct?
注意:可以说在这种情况下没有验证码,没有尝试次数限制,没有锁定,除了上面的一个以外就没有其他
Note: Lets say in this situation there's no captcha, no number of tries limit, no lockout, nothing else but the one above.
注意:请保持冷静,我仍在学习.
Note: Be gentle I'm still learning.
推荐答案
如果您排除验证码,请尝试限制,锁定等,然后是.您只需要强行使用纯文本字符串即可.
If you rule out captchas, try limits, lockouts, et cetera... then yes. You just have to brute force the plain text string.
但是,这确实要花费时间-至少,它受服务器响应登录请求的速率的限制.即使开发人员未添加任何防止暴力破解的措施,服务器本身也只能如此快速地执行加密+验证过程,并且只能处理如此多的并行请求.
However, that does take time - at the very least, it's bounded by the rate at which the server will respond to login requests. Even if the developer doesn't add any measures to prevent brute forcing, the server itself can only go through the encryption + verification process so quickly, and can only handle so many parallel requests.
也就是说,这就是为什么重要
That said, this is why it's important to
- 作为用户,请使用强而硬的暴力密码
- 作为开发人员,应采取适当措施来防止您的登录过程被强行使用
哈希密码不能防止暴力破解自然登录过程的人(还有其他保护措施).取而代之的是,它们是为了防止密码存储本身受到潜在的损害(例如,有人在转储数据库的内容).
Hashing and salting passwords isn't to protect against people who brute force the natural login process (there are other things that protect against that). Instead, they're to protect against potential compromise of the password storage itself (e.g. someone dumping the contents of the database).
散列和加盐都可以降低速度,在这种速度下,有权访问存储的密码的人可以检索他们需要能够通过自然登录过程的纯文本字符串(您的网站或其他网站,因为密码通常是在网站之间共享的),而无需采取反暴力手段的安全措施.
Both hashing and salting serve to decrease the speed at which someone with access to the stored passwords can retrieve the plain text string they'd need to be able to go through the natural login process (of your site or other sites, given that passwords are commonly shared between sites) without tripping anti-brute-forcing security measures.
这篇关于用户名,密码,加盐,加密,哈希-如何全部工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
