正确加盐和使用 PHPass [英] Proper salting and using PHPass
问题描述
很长时间以来,我一直在使用 PHPass 来散列我的密码.我承认仍有一些我不完全理解(或忽略)正确散列密码的事情,所以今天我正在查看我能找到的所有信息.
I've been using PHPass to hash my passwords for a long time. I admit that there's still things I don't fully understand (or ignore) to hash a password properly so today I was reviewing all the info I could find about it.
查看 PHPass 文档,我已经介入:
Reviewing PHPass documents, I've steped into this:
除了实际的散列之外,当对新密码或密码进行散列时,phpass 透明地生成随机盐,并将散列类型、盐和密码拉伸迭代计数编码到它返回的散列编码字符串"中.当 phpass 根据存储的散列验证密码或密码短语时,它同样透明地从散列编码字符串"中提取并使用散列类型标识符、salt 和迭代计数.因此,您无需费心自行腌制和拉伸 - phpass 会为您处理这些.
Besides the actual hashing, phpass transparently generates random salts when a new password or passphrase is hashed, and it encodes the hash type, the salt, and the password stretching iteration count into the "hash encoding string" that it returns. When phpass authenticates a password or passphrase against a stored hash, it similarly transparently extracts and uses the hash type identifier, the salt, and the iteration count out of the "hash encoding string". Thus, you do not need to bother with salting and stretching on your own - phpass takes care of these for you.
我已将困扰我的句子加粗.
我总是认为盐应该有点秘密,从某种意义上说,攻击者不应该知道它.因此,如果理解正确,PHPass 会将使用的盐存储在同一哈希中,以便在比较密码并检查是否有效时使用它.
我的问题是
I've bolded the sentence that bothered me.
I always though that the salt should be somewhat secret, in the sense that it should not be known to the attacker. So if a understood correctly, PHPass stores the salt used in the same hash so it is able to use it when comparing passwords and check if valid.
My questions are
- 这样安全吗?如果散列被泄露,攻击者就会使用盐来对密码进行散列......这里有一些我想念的东西.
- 我在这里真的可以自由地为密码加盐而烦恼吗?我真的可以依赖 PHPass 吗?
推荐答案
salt 的目的是不是成为秘密.目的是为每个散列输入添加一个唯一的组件,因此相同的密码不会散列到相同的散列,从而使暴力破解过程更加困难和耗时,因为每个散列都必须单独尝试.
The purpose of a salt is not to be a secret. The purpose is to add a unique component to each hash input, so identical passwords will not hash to identical hashes, thereby making the brute-force process more difficult and time consuming since each hash has to be tried individually.
是的,如果盐是秘密的,它会稍微更安全,但在实践中很难实现,因为您的应用程序也需要盐,所以它需要存储在某个地方密码也可以访问.因此,实际上,当攻击者获得密码哈希时,他通常也能够获得盐.
Yes, it would be marginally more secure if the salt was secret, but that's hard to realize in practice, since your application needs the salt as well, so it needs to be stored somewhere where the password is accessible as well. Therefore, in practice, when the attacker gets the password hash, he's typically also able to get the salt anyway.
这篇关于正确加盐和使用 PHPass的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
