可以将用户的密码和密码哈希表保存在同一张表中吗? [英] Is It okay to save user's salt in the same table as password hash?
问题描述
可以吗,不是没用吗?它可以保存在另一个表甚至另一个数据库中.
您怎么看?
P.S.为了获得更高的安全性,我也使用了恒盐花生".它是恒定值,保存在配置文件中(而不是数据库中).因此,如果黑客想以某种方式破解密码,那么他还需要访问文件服务器和数据库.
是的,可以将每个用户的salt存储在存储密码 hash (不是密码本身)-即使对手可以访问原始数据库数据,他仍然需要分别尝试每个用户的salt + password;将盐存储在另一个表中并没有真正增加任何重要的安全性(如果您假设对手可以访问数据库,那么假设他仅可以访问数据库的一部分对我来说就没有多大意义了.)
如果您使用salt + peanuts + password创建密码哈希,那么我想说的是,您的设计比80%的系统更安全-也就是说,在不过度偏执的情况下相当安全
但是请注意,如果您实际上是以可恢复的形式(加密或纯文本)存储密码,那么您将无法获得任何安全性-盐和哈希的全部意义在于您并非以可恢复的形式存储密码.如果您确实存储了密码,则该密码是系统中最弱的链接,因此完全不安全.为了清楚起见:用户表应仅包含盐+花生+密码的盐和哈希,密码本身.
Is it okay and isn't useless? It could be saved in another table or even another database.
What do you think?
P.S. For higher security, I have the constant salt "peanuts" too. It's constant value saved in configuration file (not in database). So if hacker want to somehow hack password, he need access to file server and database as well.
Yes, it's okay to store the per-user salt in the same table which stores the password hash (not the password itself) - even if the adversary gets access to the raw database data, he'd still need to try each user's salt+password separately; storing the salt in another table is not really adding any significant security (if you assume the adversary has access to the database, it doesn't make much sense to me to assume he only has access to one part of it).
If you're using salt+peanuts+password to create the password hash, then I'd say that your design is safer than 80% of the systems out there - which is to say, reasonably safe without going overboard with paranoia.
Note however, that if you're actually storing the password in recoverable form (encrypted or plaintext), you're throwing any security out of the window - the whole point of salts and hashing is that you are not storing the password in recoverable form. If you do store the password, that is the weakest link of your system, which is then completely insecure. To make things clear: the user table should only contain the salt and hash of salt+peanuts+password, never the password itself.
这篇关于可以将用户的密码和密码哈希表保存在同一张表中吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
