为什么对散列密码加盐会提高安全性? [英] Why does salting a hashed password increase security?
问题描述
我一直在研究如何将密码安全地存储在数据库中.通常建议您使用盐.正如 PHP 密码的安全散列和盐,这会改变哈希值,使密码更难以破解.
I've been doing some research about securely storing passwords in a database. It is generally suggested that you use a salt. As explained in one of the answers in Secure hash and salt for PHP passwords, this changes the value of hashes, making a password more difficult to compromise.
作为验证机制的一部分,用户输入的密码与盐结合并根据需要进行散列.鉴于盐对用户是透明的,使用盐如何提供任何额外的好处?
As part of the verification mechanism, the password entered by the user is combined with the salt and hashed as needed. Given that the salt is transparent to the user, how does using salt provide any added benefit?
正如我所见,无论是否经过哈希处理,相同的密码都将成功验证您的身份,因为使其与众不同的管道将在幕后进行.这就是为什么到目前为止我读过的文章都没有澄清.
As I see it, with or without hashing, the same password will successfully authenticate you, because the plumbing that makes it different will take place behind the scenes. That is why none of the articles I've read so far have clarified things.
推荐答案
考虑一个场景,您接受来自用户的密码,然后通过网络发送密码或以纯文本形式存储在数据库中.
consider a scenario, where you accept a password from you user and you are sending it over network or storing in database as plain-text.
如果您的用户输入密码,请说 6-8 个字符长.黑客可能会为所有可能的 6-8 个字符长度的字符串预先生成哈希值,并且他可以通过将其与您的哈希值进行比较来推断出密码.(将您的哈希值与所有预先生成的哈希值进行匹配,他可以获得一组可能的候选者,如果发生冲突)
if your user enters a password say 6-8 characters long. A hacker may have pre-generate hashes for all possible strings of 6-8 characters length and he can possibly deduce the password, by comparing it with your hash.(Matching your hash against all the pre-generates hashes, he can get a set of possible candidates,if collision occurs)
但是,如果您在他的纯文本密码中添加 30 个字符的盐,然后对其进行哈希处理.任何黑客都很难预先生成该范围的所有可能组合.这就是我们使用盐的主要原因.
But if you append a salt of say 30 chracters to his plain-text password and then hash it. it becomes very difficult for any hacker to pre-generate all the possible combinations of that range. That is the main reason why we use a salt.
出于安全考虑,您不能限制每个用户输入 30 个字符长的密码.如果任何用户选择 4 个字符长度的密码,只需添加 30 个字符的盐并使其更安全.
You cant restrict every user to input a 30 character long password for security purposes. if any user chooses a 4 char length password, just add 30 char salt and make it more secure.
这篇关于为什么对散列密码加盐会提高安全性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
