盐渍你的密码:最佳实践? [英] Salting Your Password: Best Practices?
问题描述
我一直很好奇......在为散列加盐密码时哪个更好:前缀或后缀?为什么?还是没关系,只要你加盐?
I've always been curious... Which is better when salting a password for hashing: prefix, or postfix? Why? Or does it matter, so long as you salt?
解释:我们都(希望)现在知道我们应该salt在我们将其散列以存储在数据库中之前的密码 [ 这样您就可以避免诸如 Jeff Atwood 最近发生了什么].通常这是通过在通过散列算法之前将盐与密码连接来完成的.但是示例各不相同......一些示例在密码之前添加盐.一些示例在密码之后添加盐.我什至看到有些人试图把盐放在中间.
To explain: We all (hopefully) know by now that we should salt a password before we hash it for storage in the database [ So you can avoid things like what happened to Jeff Atwood recently]. Typically this is done by concatenating the salt with the password before passing it through the hashing algorithm. But the examples vary... Some examples prepend the salt before the password. Some examples add the salt after the password. I've even seen some that try to put the salt in the middle.
那么哪种方法更好,为什么?有没有一种方法可以减少哈希冲突的机会?我的谷歌搜索没有对这个主题进行像样的分析.
So which is the better method, and why? Is there a method that decreases the chance of a hash collision? My Googling hasn't turned up a decent analysis on the subject.
很棒的答案,伙计们!对不起,我只能选择一个答案.:)
Great answers folks! I'm sorry I could only pick one answer. :)
推荐答案
前缀或后缀无关紧要,只是为密码添加了一些熵和长度.
Prefix or suffix is irrelevant, it's only about adding some entropy and length to the password.
你应该考虑这三件事:
- 您存储的每个密码的盐必须不同.(这是一个很常见的误解.)
- 使用加密安全的随机数生成器.
- 选择足够长的盐.想想生日问题.
Dave Sherohman 给出了一个很好的 答案质疑为什么你应该使用随机生成的盐而不是用户名(或其他个人数据).如果您遵循这些建议,那么您将盐放在哪里并不重要.
There's an excellent answer by Dave Sherohman to another question why you should use randomly generated salts instead of a user's name (or other personal data). If you follow those suggestions, it really doesn't matter where you put your salt in.
这篇关于盐渍你的密码:最佳实践?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
