您如何在MySQL中安全地存储用户的密码和盐? [英] How do you securely store a user's password and salt in MySQL?
问题描述
因此,我在SO上发现应该将密码和"salt"一起散列. (可以在此处和
So, I found out on SO that you're supposed to hash the password together with a "salt". (The articles can be found here and here.)
代码如下:
$password = 'fish';
/* should be "unique" for every user? */
$salt= 'ABC09';
$site_key = 'static_site_key';
hash_hmac('sha1', $password . $salt, $site_key);
现在我需要将$password和$salt都保存在MySQL中,就像这样:
And now I need to save both the $password and $salt in MySQL, like so:
+---------+--------+----------+-------+
| user_id | name | password | salt |
+---------+--------+----------+-------+
| 1 | krysis | fish** | ABC09 |
+---------+--------+----------+-------+
** fish当然会被散列,并且不会以纯文本格式存储.
** fish will of course be hashed and not stored in plain text.
我只是想知道以这种方式进行操作实际上是否有意义,因为通过这种方式,黑客或其他人也都可以理解吗?因此,如果他们破解了密码并看到密码为fishABC09,他们会自动知道密码为fish吗?还是他可能永远"无法破解密码,因为他不知道secret_key,因为它没有存储在数据库中?
And I'm just wondering whether or not it actually makes sense to do it this way, because this way a hacker or whoever will also know the salt? So, if they crack the password and the see it's fishABC09 they automatically will know the password is fish? Or might he "never" be able to crack the password because he doesn't know the secret_key, as it isn't stored in the database?
很抱歉,如果我没有任何道理.我只是一直使用sha1作为密码,今天我发现这些文章都在谈论添加salt.
I'm sorry if I'm not making any sense. I just always used sha1 for passwords, and today I found these articles that talked about adding a salt.
推荐答案
有很多有关正确存储密码的文章.例如其中之一:存储密码-操作正确!
There are good articles about storing passwords right. One of them for example: Storing Passwords - done right!
您应该为每个用户使用不同的盐,但是无需分别存储盐.请参见另一个线程
You should use different salt for every user, but there's no need to store the salts separately. See similar discussion in another thread
顺便说一句,您可能不应该使用sha1,但是例如sha256或sha512会更强一些(至少是为了避免不好的宣传).有一个很好的答案:不安全感如何盐腌的SHA1与盐腌的SHA512相比
By the way, you probably shouldn't be using sha1 but e.g. sha256 or sha512 something stronger instead (at least to avoid bad publicity). There's a good answer regarding this: How insecure is a salted SHA1 compared to a salted SHA512
这篇关于您如何在MySQL中安全地存储用户的密码和盐?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
