Salting:使用用户名是否合理? [英] Salting: Is it reasonable to use the user name?

问题描述

我正在讨论使用用户名作为加密码的方法，而不是将随机字符串与名称一起存储.我的理由是盐的目的是为了防止出现彩虹表，那么，这实际上比那里的另一组数据安全性低了吗?

I am debating using user-names as a means to salt passwords, instead of storing a random string along with the names. My justification is that the purpose of the salt is to prevent rainbow tables, so what makes this realistically less secure than another set of data in there?

例如

hash( md5(johnny_381@example.com), p4ss\/\/0rD)

vs

hash( md5(some_UUID_value), p4ss\/\/0rD)

是否有真正的原因我不能仅仅坚持使用用户名并简化事情?我的网络搜索唯一引起的争论是关于盐应如何像这样的密码，但最终却没有任何背后的理由，在我看来，这仅仅是为了防止类似可以在不超过一百万年的时间内与之抗衡的可破解饼干.考虑到现实的处理限制，如果人们知道哈希，仍然不知道密码，并且他们已经进入超级计算机范围以对每个哈希进行暴力破解，我认为这没什么大不了的.

Is there a real reason I couldn't just stick with the user name and simplify things? The only thing my web searching resulted was debates as to how a salt should be like a password, but ended without any reasoning behind it, where I'm under the impression this is just to prevent something like a cain-and-able cracker to run against it without being in the range of a million years. Thinking about processing limitations of reality, I don't believe this is a big deal if people know the hash, they still don't know the password, and they've moved into the super-computer range to brute force each individual hash.

有人可以在这里启发我吗?

Could someone please enlighten me here?

推荐答案

当用户名更改(如果可以更改)时，您将遇到问题.您无法更新哈希密码，因为您不存储未加盐，未哈希的密码.

You'll run into problems, when the username changes (if it can be changed). There's no way you can update the hashed password, because you don't store the unsalted, unhashed password.

这篇关于Salting:使用用户名是否合理?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！