密码哈希(非SSL) [英] Password hashing (non-SSL)
问题描述
如何密码从浏览器在非SSL传输的情况下发送到服务器?
How is the password sent from browser to server in case of non-ssl transfer?
我想用bcrypt发送前哈希密码+盐....但它似乎没有为bcrypt算法...
I want to use bcrypt to hash password+salt before sending.... but it seems there is no javascript implementation for the bcrypt algorithm...
是MD5,SHA-1就好了吗?
is md5, SHA-1 good enough?
PS:我的网站不存储任何用户个人信息。我只是想用户打算密码没有破解的用户可能会使用在其他网站相同的密码,包含他/她的个人信息
PS: My site does not store any user personal information.. I just want that user intended password is not hacked as user might be using the same password at other sites that contains his/her personal information
推荐答案
说实话,你可以散列它在前端,但它不会解决你的根本问题。既然你要保存的哈希值后核查,所有的黑客需要知道的是散列值是什么。然后,黑客可以使用散列值发送给你,你就系统将其作为身份验证的正确的值。你基本上发送密码加密系统。
Truthfully, you can hash it on the front end, but it isn't going to solve your underlying problem. Since you are going to store the hash for later verification, all a hacker needs to know is what the hashed value is. Then the hacker can send the hashed value to you, and you're system will authenticate it as the correct value. You are essentially sending the password unencrypted to the system.
要有效可言,转移需要通过SSL进行加密。
To be effective at all, the transfer needs to be encrypted through SSL.
其实,最简单的方式来解决散列的问题是在中间人攻击刚刚上场的人。因为它不是使用SSL,使用浏览器的人无法知道HTML内容是不是从你的服务器的方式。攻击者可以简单地定位自己的code在客户端和服务器的地方额外code之间在HTML中键登录密码。然后,发布信息去攻击;他或她什么都想(在这种情况下,密码),然后将信息一起到你的服务器转发。无论是你还是攻击者会知道你是不是传达给对方。
Actually, the easy way to get around the hashing issue is to just play the man in the middle attack. Since it's not using SSL, the person using the browser has no way of knowing the HTML content is not from your server. An attacker can simply position his code in between the client and the server and place additional code in the HTML to key log the password. The posted information then goes to the attacker; he or she takes what is wanted (in this case the password), and then forwards the information along to your server. Neither you nor the attacker will know you are not communicating to each other.
这为什么你必须从一个可验证的来源购买证书的原因。他们正在核实您与通信的服务器,他们说他们是谁。
This the reason why you have to buy a certificate from a verifiable source. They are verifying that the server you are communicating with is who they say they are.
相关报道:中毒的DNS
这篇关于密码哈希(非SSL)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
