推荐哈希在ASP经典密码 [英] Recommended hash for passwords in ASP Classic
问题描述
什么是ASP中的经典?
What is the slowest (therefore best) hash algorithm for passwords in ASP Classic?
编辑:对于那些不知道,散列密码时,速度较慢的哈希preferred更快地有助于减缓彩虹表式的攻击。
For those unaware, when hashing passwords, slower hashes are preferred to faster to help slow rainbow table style attacks.
EDIT2:是的,当然,速度不是哈希选择的唯一有效的关注。我的问题假设所有其他的事情都是平等 最慢的哈希方法是$ P $散列密码的时候pferred 。虽然碰撞/逆向工程当然是一个问题,我一直在速度优先在这个问题上,因为它可以说是上使用的密码比较流行的哈希算法时要考虑的最关键因素。
And yes, of course speed isn't the only valid concern for hash selection. My question assumes that All other things being equal, the slowest hash method is preferred when hashing a password. Though collision/reverse engineering is of course a concern too, I'm prioritizing speed in this question since it is arguably the most critical factor to consider when comparing popular hash algorithms for use on passwords.
谢谢!
推荐答案
很多人似乎对这个问题,提问者殴打,因为他要寻找一个缓慢的哈希函数。实际上,所有其他方面都相同,一个慢散列函数大于一快一更安全。这是因为一个较慢的哈希函数中的慢一代的彩虹表和慢暴力破解或结果上的密码字典攻击
A lot of people seem to be beating on the question-asker because he's looking for a slow hash function. Actually, all other aspects being equal, a slower hash function is more secure than a fast one. This is because a slower hash function results in slower generation of rainbow tables and slower brute forcing or dictionary attacks on the password.
从托马斯Ptacek在 http://www.securityfocus.com/blogs/262 的,因为在这种引用< A HREF =http://www.codinghorror.com/blog/archives/000953.html>编码恐怖文章:
From Thomas Ptacek at http://www.securityfocus.com/blogs/262, as referenced in this Coding Horror article:
问题是, MD5是快。所以
是它的竞争对手现代,像SHA1
和SHA256 。速度是一个设计目标
现代安全散列,因为散列
是几乎每一个积木
密码,通常得到
需求执行基于每个分组或
每个消息的基础。
The problem is that MD5 is fast. So are its modern competitors, like SHA1 and SHA256. Speed is a design goal of a modern secure hash, because hashes are a building block of almost every cryptosystem, and usually get demand-executed on a per-packet or per-message basis.
速度正是你不想要的东西
在密码哈希函数。
现代密码方案被攻击
与增量密码破解。
Modern password schemes are attacked with incremental password crackers.
增量饼干别
precalculate所有可能破解
密码。他们认为每个密码
个别哈希,他们养活自己
通过密码哈希字典
功能相同的方式你的PHP登录
页面会。彩虹表饼干
像ophcrack的使用空间来攻击
密码;增量饼干状
约翰开膛手,裂缝和LC5工作
随着时间的推移:统计和计算
Incremental crackers don’t precalculate all possible cracked passwords. They consider each password hash individually, and they feed their dictionary through the password hash function the same way your PHP login page would. Rainbow table crackers like Ophcrack use space to attack passwords; incremental crackers like John the Ripper, Crack, and LC5 work with time: statistics and compute.
密码攻击游戏中得分
花时间来破解密码X.随着
彩虹表,到时候要看
有多大你的表需要以及如何
快可以搜索它。同
增量饼干,该时间取决于
关于如何快速使密码
哈希函数运行。
The password attack game is scored in time taken to crack password X. With rainbow tables, that time depends on how big your table needs to be and how fast you can search it. With incremental crackers, the time depends on how fast you can make the password hash function run.
更好的帮助您优化
密码哈希函数,更快
您的密码哈希函数得到的
您较弱方案。 MD5和SHA1,
即使是传统的分组密码一样
DES,被设计成快。 MD5,
SHA1和DES弱密码
哈希值。在现代的CPU,原始密码
积木像DES和MD5可以
被bitsliced,矢量和
并行,使密码搜索
快如闪电。游戏结束FPGA
实现成本只有几百
美元。
The better you can optimize your password hash function, the faster your password hash function gets, the weaker your scheme is. MD5 and SHA1, even conventional block ciphers like DES, are designed to be fast. MD5, SHA1, and DES are weak password hashes. On modern CPUs, raw crypto building blocks like DES and MD5 can be bitsliced, vectorized, and parallelized to make password searches lightning fast. Game-over FPGA implementations cost only hundreds of dollars.
Some comments on the PHP MD5 documentation also discuss preference for slowness.
要回答你的问题,它看起来像BCrypt是要走的路。不过,我一直没能找到ASP经典的实现。如果这是真的,我会坚持像SHA512常规哈希函数。
To answer your question, it looks like BCrypt is the way to go. However, I have not been able to find any implementations for ASP Classic. If that's true, I would stick with a regular hash function like SHA512.
这篇关于推荐哈希在ASP经典密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
