C ++哈希函数对于密码是否合理安全? [英] Is the c++ hash function reasonably safe for passwords?
问题描述
C ++中的内置哈希函数对于哈希密码是否相当安全?例如类似下面的内容.
#include <iostream>
#import <string>
int main ()
{
std::hash <std::string> hash;
std::string passwordGuess;
unsigned long hashedPassword = 1065148159544519853; // hash of password
std::cout << "Enter your password: ";
std::cin >> passwordGuess;
unsigned long hashedPasswordGuess = hash(passwordGuess);
if (hashedPasswordGuess == hashedPassword) {
std::cout << "Password is correct!" << std::endl;
} else {
std::cout << "Password is wrong!" << std::endl;
}
}
这合理吗?
这是相当安全的地方,因为该哈希函数不能用于加密目的 >.
实际上,即使是用于加密目的的哈希函数(打算)(例如,现在已损坏的MD5,良好的旧SHA1甚至是非常新的SHA3)也并不用于哈希存储的密码;这是因为它们被设计为快速,而为了密码安全,您希望将哈希设计为 slow ,以限制散列泄漏时的损害.
如果打算散列密码,则应查找 bcrypt 或 PBKDF2 ;我知道 Crypto ++ 至少会做后者.
有关散列密码的详细分析,另请参见如何安全地散列密码.
Is the built in hash function in c++ reasonably safe for hashing passwords? For instance something like the below.
#include <iostream>
#import <string>
int main ()
{
std::hash <std::string> hash;
std::string passwordGuess;
unsigned long hashedPassword = 1065148159544519853; // hash of password
std::cout << "Enter your password: ";
std::cin >> passwordGuess;
unsigned long hashedPasswordGuess = hash(passwordGuess);
if (hashedPasswordGuess == hashedPassword) {
std::cout << "Password is correct!" << std::endl;
} else {
std::cout << "Password is wrong!" << std::endl;
}
}
Is this reasonably safe or not?
It is nowhere near reasonably safe, as this hash function is not intended to be used for cryptographic purposes.
Actually, even hash functions intended to be used for cryptographic purposes (such as the now-broken MD5, good old SHA1 and even the very new SHA3) are not meant for hashing stored passwords; this is because they are designed to be fast, whereas for password security you want a hash designed to be slow in order to limit the damage if the hashes are leaked.
If you intend to hash passwords you should look up C++ (or C, as you they will be probably easier to find) implementations of bcrypt or PBKDF2; I know that Crypto++ does at least the latter.
For a detailed analysis of hashing password, see also how to securely hash passwords.
这篇关于C ++哈希函数对于密码是否合理安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
