你把盐串放在哪里? [英] Where do you store your salt strings?
问题描述
在为数据库存储散列密码时,我总是使用适当的每个条目的盐字符串.根据我的需要,将盐存储在散列密码旁边的数据库中一直工作正常.
I've always used a proper per-entry salt string when hashing passwords for database storage. For my needs, storing the salt in the DB next to the hashed password has always worked fine.
但是,有些人建议将salt与数据库分开存储.他们的论点是,如果数据库遭到破坏,攻击者仍然可以构建彩虹表,将特定的盐串考虑在内,以便一次破解一个帐户.如果这个账号有管理员权限,那他可能就连破解其他账号都不需要了.
However, some people recommend that the salt be stored separately from the database. Their argument is that if the database is compromised, an attacker can still build a rainbow table taking a particular salt string into account in order to crack one account at a time. If this account has admin privileges, then he may not even need to crack any others.
从安全角度来看,将盐存储在不同的地方是否值得?考虑在同一台机器上具有服务器代码和数据库的 Web 应用程序.如果盐存储在该机器上的平面文件中,则很可能如果数据库受到损害,盐文件也将受到损害.
From a security perspective, is it worth it to store salts in a different place? Consider a web application with the server code and DB on the same machine. If the salts are stored in a flat file on that machine, chances are that if the database is compromised, the salts file will be, too.
是否有任何推荐的解决方案?
Are there any recommended solutions to this?
推荐答案
彩虹表的重点在于它们是预先创建并集中分布的,以节省其他人的计算时间 - 生成彩虹表所需的时间也一样长就像直接破解密码+盐组合一样(因为在生成彩虹表时所做的实际上是预先运行用于蛮力散列的计算),因此,通过知道盐,有人可以生成彩虹表"是虚假的.
The point of rainbow tables is that they're created in advance and distributed en masse to save calculation time for others - it takes just as long to generate rainbow tables on the fly as it would to just crack the password+salt combination directly (since effectively what's being done when generating rainbow tables is pre-running the calculations for brute-forcing the hash), thus the argument that by knowing the salt someone could "generate a rainbow table" is spurious.
将盐存储在单独的文件中没有实际意义,只要它们是基于每个用户的 - 盐的目的只是为了使一个彩虹表无法破解文件中的每个密码数据库.
There's no real point in storing salts in a separate file as long as they're on a per-user basis - the point of the salt is simply to make it so that one rainbow table can't break every password in the DB.
这篇关于你把盐串放在哪里?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
