Qt计算和比较密码哈希 [英] Qt Computing and Comparing Password Hashs
问题描述
当前在Qt中为测验程序构建面向Web的身份验证服务.
Currently building a web facing authentication service in Qt for a Quiz program.
据我了解,在将用户密码存储在数据库中时,必须将其隐藏起来,以防万一它落入错误的人手中.
It is my understanding that when storing a users password in a database it must be obscured in case it falls into the wrong hands.
流行的方法似乎是在密码中添加 Salt 的过程,然后存储组合的计算得出的哈希值.
The prevailing method appears to be a process of adding Salt to the password and then storing the computed hash of the combination.
此哈希值稍后可以进行比较:
This hash can later be compared :
HASH(用户输入+ SALT)= StoredHash
HASH( userinput + SALT ) = StoredHash
Qt提供了 QCryptographicHash :: hash(数据,算法方法),但关键大概是随机的,我看不出这有什么用.
Qt provides QCryptographicHash::hash( data, Algorithm method) but as the key is presumably random I do not see how this can be useful.
或者Qt提供 QMessageAuthenticationCode :: hash(消息,密钥,算法方法)我认为消息将是userpassword,密钥将是pseudo_random(row_id).
Alternatively Qt Provides QMessageAuthenticationCode::hash( message, key, Algorithm method) am I correct in thinking that message would be userpassword and key would be pseudo_random(row_id).
我正在考虑使用Sha2-256算法,我是否需要密码安全的伪随机数生成器?
I am thinking of using the Sha2-256 Algorithim do I need Cryptographically secure pseudorandom number generator ?
推荐答案
Qt库组件确实不适合密码学.
The Qt Library components are indeed unsuitable for Cryptography.
libSodium的Argons实现可以很好地插入,尽管相对较新 owasp 和其他人说的好话.
libSodiums implementation of Argon plugs in nicely and although relatively new owasp and others are saying good things.
.pro
QMAKE_CXXFLAGS += -lsodium
QMAKE_LFLAGS += -lsodium
