我应该使用什么算法将密码散列到我的数据库中? [英] What algorithm should I use to hash passwords into my database?
问题描述
有没有任何可用的东西,不会被轻易破坏?
Is there anything available that isn't trivially breakable?
推荐答案
这个 2008 年的答案现在已经过时了. SHA(所有变体)现在很容易被破坏,最佳实践是现在(截至 2013 年 1 月)使用密钥拉伸哈希(例如PBKDF2) 或理想的 RAM 密集型 (如 Bcrypt) 并添加每个用户的盐.
This 2008 answer is now dangerously out of date. SHA (all variants) is now trivially breakable, and best practice is now (as of Jan 2013) to use a key-stretching hash (like PBKDF2) or ideally a RAM intensive one (like Bcrypt) and to add a per-user salt too.
第 2、3、4 点仍然值得关注.
Points 2, 3 and 4 are still worth paying attention to.
有关更多信息,请参阅 IT 安全 SE 站点.
See the IT Security SE site for more.
2008 年的原始答案:
Original 2008 answer:
使用经过验证的算法.SHA-256 在数据库中使用 64 个字符,但列上的索引没有问题,它是一种经过验证的哈希,比 MD5 和 SHA-1 更可靠.它也作为标准安全套件的一部分以大多数语言实现.但是,如果您使用 SHA-1,请不要难过.
Use a proven algorithm. SHA-256 uses 64 characters in the database, but with an index on the column that isn't a problem, and it is a proven hash and more reliable than MD5 and SHA-1. It's also implemented in most languages as part of the standard security suite. However don't feel bad if you use SHA-1.
不要只对密码进行哈希处理,还要将其他信息放入其中.您经常使用用户名:密码:盐"的哈希值.或类似的,而不仅仅是密码,但如果你玩这个,那么你会更难运行字典攻击.
Don't just hash the password, but put other information in it as well. You often use the hash of "username:password:salt" or similar, rather than just the password, but if you play with this then you make it even harder to run a dictionary attack.
安全是一个艰难的领域,不要认为你可以发明自己的算法和协议.
Security is a tough field, do not think you can invent your own algorithms and protocols.
不要写像[AddUser] Hash of GeorgeBush:Rep4Lyfe:ASOIJNTY is xyz"这样的日志
Don't write logs like "[AddUser] Hash of GeorgeBush:Rep4Lyfe:ASOIJNTY is xyz"
这篇关于我应该使用什么算法将密码散列到我的数据库中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
