使用SHA256 + SHA512哈希作为密码? [英] Using SHA256 + SHA512 hash for password?
问题描述
我正在创建一种用于哈希密码以存储在数据库中的方法.如果我的哈希方法足以胜任该任务,我想寻求建议.
I'm creating a method that I will use to hash password to store in a database. I would like to seek advice if my methods in hashing is sufficient or overkill for the task.
Dim result As Byte()
Dim mixer As String
Try
Dim sha As New SHA512CryptoServiceProvider
mixer = txt_salt.Text.ToUpper + txt_pass.Text.Trim
result = sha.ComputeHash(System.Text.Encoding.ASCII.GetBytes(mixer))
txt_sha.Text = Convert.ToBase64String(result)
Catch ex As Exception
MsgBox(ex.ToString)
End Try
谢谢.
推荐答案
这是不够的.
- 无盐:
- 容易受到彩虹表的影响(如果哈希被泄漏)
- 解决方案:在大域
- No salt:
- vulnerable to rainbow tables (if hashes are leaked)
- solution: use random salt in large domain
- 容易受到暴力攻击(如果散列了哈希值)
- 大多数哈希算法被设计为快速
- 解决方案: bcrypt ,
- vulnerable to brute-force (if hashes are leaked)
- most hashing algorithms are designed to be fast
- solution: bcrypt, scrypt or multiple (many!!!) rounds
- 没有其他服务器机密"(存储在db之外!)
- 解决方案: hmac-sha1 ,等等.
- does not have additional "server secret" (stored outside db!)
- solution: hmac-sha1, etc.
- this is a "roll your own" implementation
- solution: don't reinvent a wheel, unless it's one of these or these :)
就位"而言,SHA1可以完美地使用160(但由于其他原因,它本身并不能很好).同时使用SHA256 + SH512会使零增益复杂化. (实际上,由于需要额外的存储空间,因此净损失非常小.)
As far as "bits" go, SHA1 is perfectly fine with 160 (but it is not fine [by itself] for other reasons). Doing both SHA256+SH512 just complicates the matter for zero gain. (Actually, it is a very slight net loss due to the extra storage requirements.)
我建议使用现有的图书馆/系统,除非这是一个学术项目:)
I suggest using an existing library/system, unless this is an academic project :)
快乐的编码.
这篇关于使用SHA256 + SHA512哈希作为密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!