多次加密密码真的会更安全吗? [英] Does encrypting a password multiple times really make it more secure?

问题描述

可能的重复:
是双重哈希"吗?密码比散列一次更不安全?

所以，我正在阅读一篇关于保护 PHP 网站的文章，他们建议多次散列密码，实际上，这是文章的直接引用:

So, I was reading an article on securing PHP websites and they recommended hashing a password multiple times, in fact, this is a direct quote from the article:

md4(md4(md5(sha1(md4(md5(sha1(sha1($_POST['password']))))))));

现在，就我个人而言，我通常在我的密码中使用加盐的 SHA-256 哈希，因为我认为 MD4 和 MD5 不再安全，并且多次哈希密码只会给服务器带来太大的压力，没有实际意义益处.对吗?

Now, personally, I generally use a salted SHA-256 hash on my passwords, because I thought that MD4 and MD5 were no longer secure and that hashing a password multiple times would just put too much strain on a server for no practical benefit. Is that correct?

推荐答案

如果您不对密码进行数万次哈希处理，您将不知道自己在做什么.

If you don't hash your passwords tens of thousands of times, you don't know what you are doing.

这计算成本高；这就是我想说的.对于验证具有正确密码的用户的合法目的，负载可以忽略不计.但对于试图在离线攻击中测试大量密码列表的破解者来说，成本高得令人望而却步.

This is computationally expensive; that is the point. For the legitimate purpose of authenticating a user who has the correct password, the load is negligible. But for a cracker who is trying to test a huge list of passwords in an offline attack, the cost is prohibitive.

使用散列函数的数千次迭代是一种成熟且广泛使用的密钥强化"技术.它包含在密钥派生标准中，并用于 bcrypt 等算法以保护密码.

Using thousands of iterations of a hash function is a well-established and widely used technique for "key strengthening." It is incorporated in standards for key derivation, and used in algorithms like bcrypt for password protection.

使用 bcrypt 或 PBKDF2，这将要求您使用盐和迭代.不要尝试使用一些损坏的散列来构建自己的方法.

Use bcrypt or PBKDF2, which will require you to use salt and iterations. Don't try to make up your own method using a few broken hashes.

这篇关于多次加密密码真的会更安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！