加盐密码:最佳实践? [英] Salting Your Password: Best Practices?

问题描述

我一直很好奇...为哈希加密密码时哪个更好:前缀还是后缀?为什么?还是只要你加盐就可以了?

I've always been curious... Which is better when salting a password for hashing: prefix, or postfix? Why? Or does it matter, so long as you salt?

解释一下:我们现在都(希望)知道我们应该salt在我们散列密码以将其存储在数据库中之前输入密码 [ 所以你可以避免像 Jeff Atwood 最近发生了什么事].通常这是通过在将盐传递给散列算法之前将盐与密码连接起来来完成的.但例子各不相同......一些例子在密码前加上盐.一些示例在密码之后添加盐.我什至见过一些人试图把盐放在中间.

To explain: We all (hopefully) know by now that we should salt a password before we hash it for storage in the database [ So you can avoid things like what happened to Jeff Atwood recently]. Typically this is done by concatenating the salt with the password before passing it through the hashing algorithm. But the examples vary... Some examples prepend the salt before the password. Some examples add the salt after the password. I've even seen some that try to put the salt in the middle.

那么哪种方法更好，为什么?有没有一种方法可以减少哈希冲突的机会?我的谷歌搜索还没有对这个主题进行像样的分析.

So which is the better method, and why? Is there a method that decreases the chance of a hash collision? My Googling hasn't turned up a decent analysis on the subject.

很好的答案伙计们！对不起，我只能选择一个答案.:)

Great answers folks! I'm sorry I could only pick one answer. :)

推荐答案

前缀或后缀无关紧要，只是给密码增加一些熵和长度.

Prefix or suffix is irrelevant, it's only about adding some entropy and length to the password.

你应该考虑这三件事:

1. 您存储的每个密码的盐值都必须不同.(这是一个很常见的误解.)
2. 使用加密安全的随机数生成器.
3. 选择足够长的盐.想想生日问题.

Dave Sherohman 的回答对另一个人很好质疑为什么你应该使用随机生成的盐而不是用户名(或其他个人数据).如果你遵循这些建议，那么你把盐放在哪里都没关系.

There's an excellent answer by Dave Sherohman to another question why you should use randomly generated salts instead of a user's name (or other personal data). If you follow those suggestions, it really doesn't matter where you put your salt in.

这篇关于加盐密码:最佳实践?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！