如何正确使用AES_ENCRYPT? [英] How to use AES_ENCRYPT properly?
问题描述
我正在尝试使用AES加密( MySQL中的> AES_ENCRYPT )作为用户密码,但我遇到了许多其他问题.
I'm trying to use AES encryption (AES_ENCRYPT in MySQL) for user passwords but I came up with a bunch of different problems.
这是我用于将新用户存储到数据库中的SQL查询:
This is the SQL query that I use to store a new user into the database:
INSERT INTO user VALUES (
'15',
'John',
'Doe',
'123 Fake St.',
AES_ENCRYPT('mypassword', 'mysalt'),
'mysalt'
)
在实际情况下,盐将是随机字符串.
Where the salt would be a random string in a real case.
工作正常.我的意思是,我能够检索原始密码.在此示例中,AES_DECRYPT(user.password, 'mysalt') WHERE user.id = 15检索mypassword.但是我可能忽略了一些事情.
It works fine. I mean, I'm able to retrieve the original password. In this example, AES_DECRYPT(user.password, 'mysalt') WHERE user.id = 15 retrieves mypassword. But I might be overlooking some things.
-
将盐和密码一起保存是否安全?除了通过默默无闻的事物提供安全性.
存储哈希密码的最佳格式是什么?我正在使用
VARBINARY,但是存储的字符串看起来像8�p�����_�Z�\.
What is the best format to store the hashed password? I'm using
VARBINARY but the stored string looks like 8�p�����_�Z�\.
最后,密码应该多长时间,密码应该多长时间? 会是盐吗?
And finally, how long should the password be and how long should the salt be?
谢谢
推荐答案
通常,实际上没有必要对密码进行反向加密.具有该功能会从本质上降低系统的安全性.而是使用不可逆的哈希函数.我建议使用SHA-256(或更大版本),它会产生字符串结果:
Typically, there is no actual need to reverse encrypt a password. Having that ability inherently decreases the security of the system. Instead, use an irreversible hash function. I suggest SHA-256 (or larger) which produces a string result:
SHA2 (CONCAT (user.name, user.password, 'some salt', user.id), 256)
我也使批量 彩虹表 变得沮丧,因为无法通过滚动其他数据来使用通常在密码验证时就知道.
I have also frustrated bulk rainbow tables from being any use by rolling in other data always known at password validation time.
SHA2需要MySQL 5.5或更高版本.如果您使用的是较早版本,则SHA1()几乎可以与它媲美,并且通常比MD5,AES等要好得多.
SHA2 requires MySQL 5.5 or later. If you are using an earlier version, SHA1() is nearly as good, and generally much better than MD5, AES, etc.
这篇关于如何正确使用AES_ENCRYPT?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
