多次加密密码真的会更安全吗? [英] Does encrypting a password multiple times really make it more secure?
问题描述
可能的重复:
是双重哈希"吗?密码比散列一次更不安全?
所以,我正在阅读一篇关于保护 PHP 网站的文章,他们建议多次散列密码,实际上,这是文章的直接引用:
So, I was reading an article on securing PHP websites and they recommended hashing a password multiple times, in fact, this is a direct quote from the article:
md4(md4(md5(sha1(md4(md5(sha1(sha1($_POST['password']))))))));
现在,就我个人而言,我通常在我的密码中使用加盐的 SHA-256 哈希,因为我认为 MD4 和 MD5 不再安全,并且多次哈希密码只会给服务器带来太大的压力,没有实际意义益处.对吗?
Now, personally, I generally use a salted SHA-256 hash on my passwords, because I thought that MD4 and MD5 were no longer secure and that hashing a password multiple times would just put too much strain on a server for no practical benefit. Is that correct?
推荐答案
如果您不对密码进行数万次哈希处理,您将不知道自己在做什么.
If you don't hash your passwords tens of thousands of times, you don't know what you are doing.
这计算成本高;这就是我想说的.对于验证具有正确密码的用户的合法目的,负载可以忽略不计.但对于试图在离线攻击中测试大量密码列表的破解者来说,成本高得令人望而却步.
This is computationally expensive; that is the point. For the legitimate purpose of authenticating a user who has the correct password, the load is negligible. But for a cracker who is trying to test a huge list of passwords in an offline attack, the cost is prohibitive.
使用散列函数的数千次迭代是一种成熟且广泛使用的密钥强化"技术.它包含在密钥派生标准中,并用于 bcrypt 等算法以保护密码.
Using thousands of iterations of a hash function is a well-established and widely used technique for "key strengthening." It is incorporated in standards for key derivation, and used in algorithms like bcrypt for password protection.
使用 bcrypt 或 PBKDF2,这将要求您使用盐和迭代.不要尝试使用一些损坏的散列来构建自己的方法.
Use bcrypt or PBKDF2, which will require you to use salt and iterations. Don't try to make up your own method using a few broken hashes.
这篇关于多次加密密码真的会更安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!