使用BCrypt和char [] [英] Using BCrypt with a char[]
问题描述
Neil Smithline建议我使用BCrypt,但是我无法将其与char [ ]'s。
我之所以使用char []来存储从登录表单获取的密码是因为 .getPassword() 只支持char []。
char [] passwordChars = passwordInputField.getPassword();
String hashed = BCrypt.hashpw(passwordChars,BCrypt.gensalt(12));
目前,我正尝试使用上面的代码来生成一个哈希,但是随着密码卡的变量键入一个char [],它不被支持BCrypt.haspw()
现在我唯一的原因我没有使用普通字符串,因为它不能从内存中清除。
现在我的问题是 - 是否可以以某种方式使用char []与BCrypt?
在此先感谢!
找到一个字符串作为输入。正如你所知道的那样,将密码放入一个字符串中会打开你的内存攻击。
你可以使用PBKDF2和bcrypt。两者都被认为是顶尖的。有PBKDF2 Java代码示例此处和此处。两者都允许将 char [] 传递给函数。
要回答评论中隐含的问题,不使用MD5或任何哈希的原因是它们太快。暴力强制密码与特殊硬件成为可能与他们。 Bcrypt和PBKDF2被设计得很慢。
即使你打算使用散列(我建议不要),你必须要用它。颠倒无信号的密码散列是微不足道的(请参阅此工具)。
关于密码存储的 CrackStation的参考资料是一个很好的一般参考。
Around a few hours ago, I enquired on Stack Overflow about methods on how to convert a char[] to an MD5 hash. A solution was provided, but was thought to be insecure - as outlined by a couple of people: Generating an MD5 Hash with a char[]
Neil Smithline recommended that I make use of BCrypt, but I am unable to use that with char[]'s.
The reason that I am using a char[] for storing the retrieved password from a login form is because .getPassword() supports only char[].
char[] passwordChars = passwordInputField.getPassword();
String hashed = BCrypt.hashpw(passwordChars, BCrypt.gensalt(12));
Currently, I am trying to use the above code to generate a hash but as the variable passwordCars is of type a char[], it is not supported by BCrypt.haspw()
Now the only reason why I am not using a regular String is because it cannot be cleared from memory.
My question now is - is it possible to somehow use char[]'s with BCrypt?
Thanks in advance!
Both Java impls of bcrypt that I found take a String as input. As you seem to know, putting the password into a string opens you up to memory attack.
You can use PBKDF2 as well as bcrypt. Both are considered top-notch. There are PBKDF2 Java code samples here and here. Both allow passing a char[] to the functions.
To answer an implicit question from the comments, the reason that you don't use MD5 or any hash is that they are just too fast. Brute forcing passwords with special hardware becomes possible with them. Bcrypt and PBKDF2 are designed to be slow.
Even if you're going to use a hash (which I recommend against), you must salt it. Reversing unsalted password hashes is trivial (see this tool).
The CrackStation's reference on password storage is a good general reference.
这篇关于使用BCrypt和char []的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
