密码散列(非SSL) [英] Password hashing (non-SSL)
问题描述
如果不是ssl转移,那么从浏览器发送到服务器的密码如何?
How is the password sent from browser to server in case of non-ssl transfer?
我想在发送之前使用bcrypt来加密密码+ salt但是似乎没有为bcrypt算法的javascript实现...
I want to use bcrypt to hash password+salt before sending.... but it seems there is no javascript implementation for the bcrypt algorithm...
是md5,SHA-1好吗?
is md5, SHA-1 good enough?
PS:我的网站不存储任何用户个人信息..我只希望该用户预期的密码不被黑客攻击,因为用户可能在其他包含他/她的个人信息的网站使用相同的密码
PS: My site does not store any user personal information.. I just want that user intended password is not hacked as user might be using the same password at other sites that contains his/her personal information
推荐答案
真的,你可以在前端哈希,但不会解决你的根本问题。由于您要存储该哈希以供以后验证,因此所有黑客需要知道的是哈希值。然后,黑客可以将哈希值发送给您,您将系统将其验证为正确的值。您实际上是将密码未加密地发送到系统。
Truthfully, you can hash it on the front end, but it isn't going to solve your underlying problem. Since you are going to store the hash for later verification, all a hacker needs to know is what the hashed value is. Then the hacker can send the hashed value to you, and you're system will authenticate it as the correct value. You are essentially sending the password unencrypted to the system.
为了有效,转移需要通过SSL加密。
To be effective at all, the transfer needs to be encrypted through SSL.
实际上,解决哈希问题的简单方法是只需播放中间袭击的人。由于不使用SSL,使用浏览器的人无法知道HTML内容不是来自您的服务器。攻击者可以简单地将他的代码放在客户端和服务器之间,并在HTML中放置附加代码来密钥登录密码。然后发布的信息将发送给攻击者;他或她取得所需的东西(在这种情况下为密码),然后将信息转发到您的服务器。你和攻击者都不会知道你没有彼此沟通。
Actually, the easy way to get around the hashing issue is to just play the man in the middle attack. Since it's not using SSL, the person using the browser has no way of knowing the HTML content is not from your server. An attacker can simply position his code in between the client and the server and place additional code in the HTML to key log the password. The posted information then goes to the attacker; he or she takes what is wanted (in this case the password), and then forwards the information along to your server. Neither you nor the attacker will know you are not communicating to each other.
这就是为什么你必须从可验证的来源购买证书的原因。他们正在验证您正在沟通的服务器是他们说的是谁。
This the reason why you have to buy a certificate from a verifiable source. They are verifying that the server you are communicating with is who they say they are.
相关:中毒DNS
这篇关于密码散列(非SSL)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
