你在哪里存储您的盐字符串? [英] Where do you store your salt strings?
问题描述
我哈希数据库存储的密码时,总是用一个适当的每个条目盐字符串。对于我的需要,存储在数据库旁边的哈希密码盐一直工作得很好。
I've always used a proper per-entry salt string when hashing passwords for database storage. For my needs, storing the salt in the DB next to the hashed password has always worked fine.
不过,也有人建议将盐从数据库分开存储。他们的论据是,如果数据库被攻破,攻击者仍然可以建立一个彩虹表采取了具体盐串进去,以便在一个时间来破解一个帐户。如果该帐户具有管理员权限,那么他可能甚至不需要任何破解他人。
However, some people recommend that the salt be stored separately from the database. Their argument is that if the database is compromised, an attacker can still build a rainbow table taking a particular salt string into account in order to crack one account at a time. If this account has admin privileges, then he may not even need to crack any others.
从安全的角度来看,是值得它来存储盐在不同的地方?考虑与服务器code和DB在同一台机器上的Web应用程序。如果盐存储在这台机器上的平面文件,有机会,如果数据库被泄露,盐文件也会如此。
From a security perspective, is it worth it to store salts in a different place? Consider a web application with the server code and DB on the same machine. If the salts are stored in a flat file on that machine, chances are that if the database is compromised, the salts file will be, too.
是否有任何建议的解决方案呢?
Are there any recommended solutions to this?
推荐答案
彩虹表的一点是,他们事先会创建和分发集体节省计算时间为别人 - 它只需只要生成彩虹表上飞,因为它会只是直接破解密码+盐组合(因为有效的是什么产生的彩虹表时的正在做的是pre-运行暴力破解哈希计算),从而论点通过了解盐有人可能会产生彩虹表是虚假的。
The point of rainbow tables is that they're created in advance and distributed en masse to save calculation time for others - it takes just as long to generate rainbow tables on the fly as it would to just crack the password+salt combination directly (since effectively what's being done when generating rainbow tables is pre-running the calculations for brute-forcing the hash), thus the argument that by knowing the salt someone could "generate a rainbow table" is spurious.
有在一个单独的文件中存储盐只要他们是在每个用户的基础上没有真正的点 - 盐点仅仅是为了使它所以,一个彩虹表无法破解的密码,每DB。
There's no real point in storing salts in a separate file as long as they're on a per-user basis - the point of the salt is simply to make it so that one rainbow table can't break every password in the DB.
这篇关于你在哪里存储您的盐字符串?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
