将密码盐与密码散列分开存储吗? [英] Storing password salts separately from password hashes?
问题描述
可能重复:
盐分和储存盐分的最佳方法是什么?
使用随机盐改进密码哈希
Possible Duplicate:
what is best possible way of salting and storing salt?
Improve password hashing with a random salt
假设使用正确的密码哈希算法并为每个密码生成不同的盐...
Assuming that using a correct algorithm for password hashing and generating different salts for each password...
将盐与密码散列分开存储是否存在安全风险?对于前.在数据库表中,将密码哈希存储在一个列中,将密码盐存储在单独的列中?
Is it a security risk to store salts separately from password hashes? For ex. in a database table, storing password hashes in one column, and password salts in a separate column?
我看到了通过使用特定算法将盐嵌入密码哈希本身的策略.以后就可以从密码哈希中提取盐.这样更安全吗?
I saw strategies where the salt is embedded into the password hash itself, by using a specific algorithm. Later on the salt can be extracted from the password hash. Is this more secure?
推荐答案
从我已经阅读和完成的所有事情来看,将密码哈希和密码盐存储在单独的列中没有任何问题,这是最常见的方法做吧.
From everything I have ever read and done, there is nothing wrong with storing the password hash and password salt in separate columns, and that is the most common way to do it.
身份验证的基本方法应如下所示:
The basic method for authentication should go something like this:
- 使用用户提供的用户名或电子邮件检索user_id和password_salt
- Concat用户提供了带有检索到的盐的密码输入
- 对组合字符串使用哈希算法
- 对照数据库中的哈希检查创建的哈希
这篇关于将密码盐与密码散列分开存储吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
