散列密码和加密密码之间的区别 [英] Difference between Hashing a Password and Encrypting it

问题描述

目前最高投票给这个问题 状态:

The current top-voted to this question states:

另一个不是安全问题的问题，尽管它与安全相关，但它完全且完全失败，无法理解散列密码和加密密码之间的区别.最常见于程序员试图提供不安全的提醒我密码"功能的代码中.

Another one that's not so much a security issue, although it is security-related, is complete and abject failure to grok the difference between hashing a password and encrypting it. Most commonly found in code where the programmer is trying to provide unsafe "Remind me of my password" functionality.

这到底是什么区别?我一直认为散列是一种加密形式.海报所指的不安全功能是什么?

What exactly is this difference? I was always under the impression that hashing was a form of encryption. What is the unsafe functionality the poster is referring to?

推荐答案

散列是一种单向函数(好吧，一种映射).这是不可逆的，您应用了安全哈希算法并且无法取回原始字符串.您最多可以做的是生成所谓的碰撞"，即找到提供相同散列的不同字符串.加密安全散列算法旨在防止发生冲突.您可以使用彩虹表来攻击安全哈希，您可以通过应用在存储之前salt 到哈希值.

Hashing is a one way function (well, a mapping). It's irreversible, you apply the secure hash algorithm and you cannot get the original string back. The most you can do is to generate what's called "a collision", that is, finding a different string that provides the same hash. Cryptographically secure hash algorithms are designed to prevent the occurrence of collisions. You can attack a secure hash by the use of a rainbow table, which you can counteract by applying a salt to the hash before storing it.

加密是一种适当的(双向)功能.它是可逆的，如果你有密钥，你可以解密被破坏的字符串以获得原始字符串.

Encrypting is a proper (two way) function. It's reversible, you can decrypt the mangled string to get original string if you have the key.

它所指的不安全功能是，如果您对密码进行加密，您的应用程序会将密钥存储在某处，并且可以访问您的数据库(和/或代码)的攻击者可以通过获取密钥和加密文本，而使用散列则是不可能的.

The unsafe functionality it's referring to is that if you encrypt the passwords, your application has the key stored somewhere and an attacker who gets access to your database (and/or code) can get the original passwords by getting both the key and the encrypted text, whereas with a hash it's impossible.

人们通常说，如果破解者拥有您的数据库或您的代码，他就不需要密码，因此区别没有实际意义.这是幼稚的，因为您仍然有责任保护用户的密码，主要是因为他们中的大多数确实一遍又一遍地使用相同的密码，通过泄露他们的密码使他们面临更大的风险.

People usually say that if a cracker owns your database or your code he doesn't need a password, thus the difference is moot. This is naïve, because you still have the duty to protect your users' passwords, mainly because most of them do use the same password over and over again, exposing them to a greater risk by leaking their passwords.

这篇关于散列密码和加密密码之间的区别的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！