数据库是如何被黑客入侵的?关于盐渍等的问题 [英] How does a database get hacked? A question about salting, etc

问题描述

请耐心等待，我只学习了几个星期的 PHP，所以示例代码可能会让我感到困惑.我想我终于明白腌制了！这是为了保护数据库内部的密码，以防万一.

Bear with me, I have been only learning PHP for only a few weeks, so example code may confuse me. I think I finally understand salting! It's to protect passwords inside database, if breached.

我不明白的是，如果黑客试图找出用户的密码(假设这是他们的目标)，为什么还要破解哈希?这不是更容易吗?防止密码猜测的唯一防御措施是每天限制密码输入 X 次还是 CAPTCHA?

What I don't understand is, why would a hacker have to crack hashes if they are trying to figure out a user's password (assuming that's their goal)? Wouldn't this be easier? Is the only defense from password guessing is to implement a limit of password entry X amount of times a day or CAPTCHA?

数据库最初是如何被黑客入侵的?是更多的密码猜测还是可以通过MySQL注入获得哈希?

How would a database get hacked in the first place? Is it more password guessing or can hashes be obtained through MySQL injection?

谢谢！

推荐答案

是的，salting 是为了防止密码被反转为明文.它还阻止有人说加密的密码在站点 A 和站点 B 上是相同的，因此用户在两个地方都有相同的密码".

Yes, salting is to protect against the passwords from ever being reversed into plaintext. It also stops someone from saying "the encrypted password is the same on site A as on site B, so the user has the same password in both places".

这不仅仅是为了保护用户免受黑客攻击；这也是为了保护他们免受你的伤害.

This isn't just to protect users against hackers; it's also to protect them against you.

是的，防止密码猜测的唯一方法是减慢或禁止重复尝试.大多数 CAPTCHA 是可破解的或已损坏的，您不能对拥有原始数据库副本的人施加 CAPTCHA 或猜测限制.因此，即使是加密的数据也不要落入恶意个人的手中.不要让它们进入您的 .htpasswd 或/etc/shadow 文件或您的数据库.

Yes, the only defense against password guessing is to slow down or disallow repeated attempts. Most CAPTCHAs are breakable or broken, and you can't impose a CAPTCHA or guess limit on someone who has a copy of the raw database. So keep even the encrypted data out of the hands of malicious individuals. Don't let them at your .htpasswd or /etc/shadow file or your database.

如果你不使用salt，生成一个彩虹表(提前)比直接猜测一个非常强的密码要容易得多.关键是构建反向映射 hash->password 可以一次完成，并且(未加盐的)hash 对于任何拥有彩虹表的人来说永远被破坏.

If you are not using salt, generating a rainbow table (in advance) is much easier than guessing a very strong password directly. The key is that building the reverse mapping hash->password can be done once, and the (unsalted) hash is broken forever to anyone possessing the rainbow table.

如果您的提供商受到威胁，如果您的代码中存在注入漏洞，如果您的数据库用户帐户密码被猜到，如果您的提供商使用 eBay 出售(假定已擦除)硬盘，则数据库可能会被黑客入侵一个三年前的数据库副本......它可以通过多种方式发生.

The database could be hacked if your provider is compromised, if there is an injection vulnerability in your code, if your DB user account password is guessed, if your provider uses eBay to sell off the (presumed wiped) hard drive that had a three-year-old copy of your database on it... It can happen many ways.

这篇关于数据库是如何被黑客入侵的?关于盐渍等的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！