简单的密码加密 [英] Simple password encryption

问题描述

有什么好的、简单的加密方案可以保护数据库中的密码?我不一定需要任何超安全的东西，也不需要任何闪电般快速的东西，但那些东西会很好.首先，我只想要一些易于实现而又不会非常缓慢或不安全的东西.

What is a good, simple encryption scheme for protecting passwords in a database? I don't necessarily need anything that's hyper-secure nor do I need anything that's lightning fast, but those things would be nice. Primarily, I just want something that's easy to implement without being terribly slow or insecure.

推荐答案

正如 mk 所说，SHA1 或 MD5 是标准的，以及 SHA2.

更新:多年来，随着处理器的速度越来越快，哈希变得更加暴力.现在建议您使用 bcrypt.

Update: As processors have gotten faster over the years, hashes have gotten more brute-forceable. It's now recommended you use bcrypt.

您想要的通常称为加密哈希函数.加密哈希被设计为单向的(给定生成的哈希，您不应该能够导出原始输入).此外，两个任意字符串具有相同散列(称为散列冲突)的可能性应该很低(理想情况下是 1/散列值的数量).

What you want is more generally called a cryptographic hash function. Cryptographic hashes are designed to be one-way (given the resulting hash, you shouldn't be able to derive the original input). Also, the likelihood of two arbitrary strings having the same hash (known as a hash collision) should be low (ideally 1/number of hash values).

不幸的是，仅仅因为您的密码经过哈希处理并不能让您免于努力确保哈希版本的安全.太多人会使用容易受到离线暴力攻击的弱密码.

Unfortunately, just because your passwords are hashed doesn't free you from having to try really hard to keep the hashed versions safe. Far too many people will use weak passwords that would be vulnerable to an off-line brute-force attack.

编辑 - 一些人也已经指出了使用盐的重要性.盐是在使用散列函数之前与输入混合的常量值.拥有独特的盐可以防止离线攻击者使用预先计算的常用密码表(彩虹表)来更快地暴力破解您的密码.

Edit - several people have also already pointed out the importance of using a salt. A salt is a constant value that you mix in with the input before using the hash function. Having a unique salt prevents off-line attackers from using pre-computed tables of common passwords (rainbow tables) to brute-force your passwords even faster.

这篇关于简单的密码加密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！