您如何在MySQL中安全地存储用户的密码和盐? [英] How do you securely store a user's password and salt in MySQL?
问题描述
因此,我在SO上发现应该将密码和"salt"一起散列. (可以在此处和
So, I found out on SO that you're supposed to hash the password together with a "salt". (The articles can be found here and here.)
代码如下:
$password = 'fish';
/* should be "unique" for every user? */
$salt= 'ABC09';
$site_key = 'static_site_key';
hash_hmac('sha1', $password . $salt, $site_key);
现在我需要将$password
和$salt
都保存在MySQL中,就像这样:
And now I need to save both the $password
and $salt
in MySQL, like so:
+---------+--------+----------+-------+
| user_id | name | password | salt |
+---------+--------+----------+-------+
| 1 | krysis | fish** | ABC09 |
+---------+--------+----------+-------+
** fish
当然会被散列,并且不会以纯文本格式存储.
** fish
will of course be hashed and not stored in plain text.
我只是想知道以这种方式进行操作实际上是否有意义,因为通过这种方式,黑客或其他人也都可以理解吗?因此,如果他们破解了密码并看到密码为fishABC09
,他们会自动知道密码为fish
吗?还是他可能永远"无法破解密码,因为他不知道secret_key
,因为它没有存储在数据库中?
And I'm just wondering whether or not it actually makes sense to do it this way, because this way a hacker or whoever will also know the salt? So, if they crack the password and the see it's fishABC09
they automatically will know the password is fish
? Or might he "never" be able to crack the password because he doesn't know the secret_key
, as it isn't stored in the database?
很抱歉,如果我没有任何道理.我只是一直使用sha1
作为密码,今天我发现这些文章都在谈论添加salt
.
I'm sorry if I'm not making any sense. I just always used sha1
for passwords, and today I found these articles that talked about adding a salt
.
推荐答案
有很多有关正确存储密码的文章.例如其中之一:存储密码-操作正确!
There are good articles about storing passwords right. One of them for example: Storing Passwords - done right!
您应该为每个用户使用不同的盐,但是无需分别存储盐.请参见另一个线程
You should use different salt for every user, but there's no need to store the salts separately. See similar discussion in another thread
顺便说一句,您可能不应该使用sha1,但是例如sha256或sha512会更强一些(至少是为了避免不好的宣传).有一个很好的答案:不安全感如何盐腌的SHA1与盐腌的SHA512相比
By the way, you probably shouldn't be using sha1 but e.g. sha256 or sha512 something stronger instead (at least to avoid bad publicity). There's a good answer regarding this: How insecure is a salted SHA1 compared to a salted SHA512
这篇关于您如何在MySQL中安全地存储用户的密码和盐?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!