带有单个查询的用户登录名和每个用户的密码盐 [英] User Login with a single query and per-user password salt

问题描述

我决定使用存储在数据库中的每用户盐实现用户登录.该盐的前缀是密码，该密码用SHA哈希并存储在数据库中.

I've decided to implement a user login using a per-user salt, stored in the database. The salt is prefixed to a password which is hashed with SHA and stored in the databse.

过去，当我不使用盐时，我会使用典型的方法来计算使用用户输入的用户名和密码查询返回的行数.但是，对于每位用户盐，您需要先获得盐，然后才能将其与存储的密码哈希进行比较.

In the past when I wasn't using a salt I would use the typical method of counting the number of rows returned by a query using the user inputted username and password. With a per user salt however, you need to get the salt before you can compare it with the stored password hash.

因此，为了避免进行两个查询(一个查询获取盐，另一个查询验证输入凭据)，我决定根据输入的用户名在单个查询中获取盐和哈希密码.像

So to avoid having two queries (1 to get the salt and another to validate the input credentials) I decided to get the salt AND the hashed password in a single query based on the inputted username. Something like

SELECT users.salt, users.password
        FROM users   
        WHERE username = ?'

然后在服务器端代码(PHP)中，将盐与输入的密码连接起来，对其进行哈希处理，然后将其与从数据库中获取的密码进行比较.

and then in the serverside code (PHP) I concatenate the salt with the inputted password, hash it and compare it with the password already taken from the database.

如果不清楚，我想关键的区别是在后一种方法中，我先在PHP wheras中检查凭据，然后再在数据库中完成此操作.

If that isn't clear, I guess the key difference is that in the latter method I am checking credentials in PHP wheras before this was done in the database.

此方法在安全性或其他方面是否有任何缺点

Are there any drawbacks of this method, in terms security or otherwise

推荐答案

您可以在这样的一个查询中完成此操作:

You could accomplish this in one query like this:

SELECT 
   SHA1(CONCAT(users.salt, "password-input")) = users.passwordhash
WHERE 
   username = "username-input"

这篇关于带有单个查询的用户登录名和每个用户的密码盐的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！