我的密码盐需要多长时间，并且SHA-256足够好？ [英] How long should my password salt be, and is SHA-256 good enough?

问题描述

我正在创建一个我准备尽快向公众发布的游戏社区网站。目前，我正在处理密码和登录。我以前只使用过MD5，但我已经阅读过有关密码安全性的内容，并且听说腌制是目前的方法。

这是我的计划：每个用户都有自己的计划拥有12个随机字符（＃/¤&等）的独特盐，存储在用户表中。盐在注册时与密码一起散列（使用SHA-256），并在登录时重新哈希。

这对您听起来如何？任何我可以改进的地方？我应该去SHA-512和更长的盐，或者这是足够的吗？

解决方案

12个字节的建议应该是一个足够的长度为盐。这需要字典攻击来准备散列密码的2 ⁹⁶ 数据库。有一天，这对于一个黑客来说可能是一个微不足道的操作，但我们仍然是一个解决办法。

NIST推荐SHA256具有足够的密码散列强度，至少现在是这样。

如果您想探索更加强大的密码安全方法，请查看加密技术，如 PBKDF2 ，或使用 Bcrypt 进行自适应哈希处理。但是这些在SQL中没有直接的支持。您必须在应用程序代码中执行哈希，然后将哈希摘要发布到您的数据库。

对于游戏网站来说，这看起来像是安全矫枉过正，但它是一个很好的做法。由于许多用户（不太可能）在他们的游戏登录时使用相同的密码，因为他们的银行登录密码相同！您不希望对导致间接导致重大损失的认证违规负责。

I'm in the process of creating a gaming community site that I'm aiming to release to the public soon. Currently, I'm working on passwords and logins. I've only used MD5 before, but I've read about password safety and heard that salting is currently the way to go.

Here's my plan: Every user has their own unique salt of 12 random characters (#/¤& etc), stored in the users table. The salt is hashed (using SHA-256) along with the password on registration, and re-hashed on login.

How does this sound to you? Anything I can improve? Should I go for SHA-512 and a longer salt, or is this enough?

解决方案

Your suggestion of 12 bytes should be an adequate length for a salt. That would require a dictionary attack to prepare 2⁹⁶ databases of hashed passwords. Someday this might be a trivial operation for a cracker, but we're still a ways off from that.

SHA256 is recommended by NIST as having adequate hashing strength for passwords, at least for now.

If you want to explore even stronger methods of password security, look into key-strengthening techniques like PBKDF2, or adaptive hashing with Bcrypt. But these have no direct support in SQL. You'd have to do the hashing in application code and then post the hash digest to your database.

It may seem like security overkill for a gaming site, but it's a good practice to do it. Because many users (inadvisably) use the same password for their gaming login as they do for their banking login! You don't want to be responsible for an authentication breach that leads indirectly to major losses.

这篇关于我的密码盐需要多长时间，并且SHA-256足够好？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！