密码:最佳实践? [英] Salting Your Password: Best Practices?
问题描述
我一直很好奇...哪个更好,当盐化密码hashing:前缀或后缀?为什么?
I've always been curious... Which is better when salting a password for hashing: prefix, or postfix? Why? Or does it matter, so long as you salt?
解释一下:我们现在都知道,我们应该 salt 密码,然后我们将其哈希存储到数据库[编辑:例如 Jeff Atwood最近发生了什么< a>]。通常,这是通过在将盐与密码连接之前通过散列算法来实现的。但是示例不同...有些示例在密码前面添加了盐。一些示例在之后添加盐。我甚至看到一些试图把盐放在中间。
To explain: We all (hopefully) know by now that we should salt a password before we hash it for storage in the database [ So you can avoid things like what happened to Jeff Atwood recently]. Typically this is done by concatenating the salt with the password before passing it through the hashing algorithm. But the examples vary... Some examples prepend the salt before the password. Some examples add the salt after the password. I've even seen some that try to put the salt in the middle.
那么这是更好的方法,为什么?是否有一种方法可以减少哈希冲突的机会?我的Google搜索没有对这个主题做出合理的分析。
So which is the better method, and why? Is there a method that decreases the chance of a hash collision? My Googling hasn't turned up a decent analysis on the subject.
编辑:很棒的答案!对不起,我只能选择一个答案。 :)
Great answers folks! I'm sorry I could only pick one answer. :)
推荐答案
前缀或后缀是不相关的,它只是添加一些熵和长度的密码。
Prefix or suffix is irrelevant, it's only about adding some entropy and length to the password.
您应该考虑以下三件事:
You should consider those three things:
- 对于您存储的每个密码,盐都必须不同。 (这是一个很常见的误解。)
- 使用加密安全的随机数字生成器。
- 选择一个足够长的盐。想想生日问题。
有一个很好的 Dave Sherohman的回答另一个问题,为什么你应该使用随机生成的盐,而不是用户的名字(或其他个人数据)。如果你遵循这些建议,你把盐放在哪里真的没有关系。
There's an excellent answer by Dave Sherohman to another question why you should use randomly generated salts instead of a user's name (or other personal data). If you follow those suggestions, it really doesn't matter where you put your salt in.
这篇关于密码:最佳实践?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
