如何正确使用AES_ENCRYPT? [英] How to use AES_ENCRYPT properly?
问题描述
我正在尝试使用AES加密( MySQL中的> AES_ENCRYPT )作为用户密码,但我遇到了许多其他问题.
I'm trying to use AES encryption (AES_ENCRYPT in MySQL) for user passwords but I came up with a bunch of different problems.
这是我用于将新用户存储到数据库中的SQL查询:
This is the SQL query that I use to store a new user into the database:
INSERT INTO user VALUES (
'15',
'John',
'Doe',
'123 Fake St.',
AES_ENCRYPT('mypassword', 'mysalt'),
'mysalt'
)
在实际情况下,盐将是随机字符串.
Where the salt would be a random string in a real case.
工作正常.我的意思是,我能够检索原始密码.在此示例中,AES_DECRYPT(user.password, 'mysalt') WHERE user.id = 15
检索mypassword
.但是我可能忽略了一些事情.
It works fine. I mean, I'm able to retrieve the original password. In this example, AES_DECRYPT(user.password, 'mysalt') WHERE user.id = 15
retrieves mypassword
. But I might be overlooking some things.
-
将盐和密码一起保存是否安全?除了通过默默无闻的事物提供安全性.
存储哈希密码的最佳格式是什么?我正在使用
VARBINARY,但是存储的字符串看起来像8�p�����_�Z�\
.
What is the best format to store the hashed password? I'm using
VARBINARY but the stored string looks like 8�p�����_�Z�\
.
最后,密码应该多长时间,密码应该多长时间? 会是盐吗?
And finally, how long should the password be and how long should the salt be?
谢谢
推荐答案
通常,实际上没有必要对密码进行反向加密.具有该功能会从本质上降低系统的安全性.而是使用不可逆的哈希函数.我建议使用SHA-256(或更大版本),它会产生字符串结果:
Typically, there is no actual need to reverse encrypt a password. Having that ability inherently decreases the security of the system. Instead, use an irreversible hash function. I suggest SHA-256 (or larger) which produces a string result:
SHA2 (CONCAT (user.name, user.password, 'some salt', user.id), 256)
我也使批量 彩虹表 变得沮丧,因为无法通过滚动其他数据来使用通常在密码验证时就知道.
I have also frustrated bulk rainbow tables from being any use by rolling in other data always known at password validation time.
SHA2
需要MySQL 5.5或更高版本.如果您使用的是较早版本,则SHA1()
几乎可以与它媲美,并且通常比MD5
,AES
等要好得多.
SHA2
requires MySQL 5.5 or later. If you are using an earlier version, SHA1()
is nearly as good, and generally much better than MD5
, AES
, etc.
这篇关于如何正确使用AES_ENCRYPT?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!