简单的用户名和密码验证Java [英] Simple username and password validation java
问题描述
我正在尝试创建我的第一个登录页面作为学习练习.
I am attempting to create my first login page as a learning exercise.
我的计划是使用例如用户名的盐预先对密码进行哈希处理.将其存储在文本文件中,然后当用户登录时,我将使用相同的盐对密码进行哈希处理并将结果与文本文件进行比较.
My plan was to pre hash the password using a salt of the username for example. Store that in a text file and then when when the user logs in i would hash the password using the same salt and compare the results to the text file.
我是一个完全安全的初学者,所以我不知道这是否安全?小型应用程序的规范是什么?如果不建议使用此方法,什么是合适的简单替代方法?
I am a complete beginner with security etc so i dont know if this would be secure or not? What is the norm for small applications? if this method isnt recommended, what is a suitable simple alternative?
编辑,如果我可以使用它的话,可能的解决方案之一.
EDIT One possible solution if i can get it to work.
String unpwfield;
unpwfield = userId.getText()+passwordfield.getText();
if (BCrypt.checkpw(unpwfield, passwordhash))
System.out.println("It matches");
else
System.out.println(userId.getText()+passwordfield.getText());
推荐答案
对于密码存储,您将要使用 slow 哈希算法.加密哈希值太快,并且不会降低攻击者在脱机密码猜测中的速度.例如, bcrypt 通常是最适合使用的算法.
For password storage, you're going to want to use a slow hashing algorithm. Cryptographic hashes are too fast, and do not slow at attacker down in offline password guessing. For example, bcrypt is often the most suitable algorithm to use.
Bcrypt生成自己的盐,因此您不必担心生成这些盐的安全方法.
Bcrypt generates its own salts, so you do not need to worry about a secure way to generate these.
我会避免使用用户名作为盐.一个麻烦是避免多次使用相同的密码来存储相同的密码.
I would avoid using username as the salt. A salt is to avoid the same password ever being stored with the same byte representation if used multiple times.
原因是,如果用户重复使用相同的密码,那么对于任何对密码哈希数据具有可见性的攻击者来说,这都是显而易见的.同样,如果系统公开可用,则应用程序的每个实例将以完全相同的方式存储admin用户的哈希值,这意味着攻击者将能够使用admin作为预构建彩虹表.
The reasons are if the user reuses the same password, then it is immediately obvious to any attacker with visibility on the password hash data. Also, if your system is openly available, every instance of your application will have the hashes for the admin user stored in exactly the same way, meaning attackers will be able to pre-build rainbow tables with admin as the salt.
有关详细信息和指导,请参见有关密码存储的OWASP备忘单.
See the OWASP Cheat Sheet on Password Storage for further information and guidance.
这篇关于简单的用户名和密码验证Java的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
