如果使用salt使密码更安全,如果它存储在数据库中? [英] How does using a salt make a password more secure if it is stored in the database?
问题描述
我现在正在学习Rails,但是答案不一定是Rails特有的。
所以,根据我的理解,一个安全的密码系统工作方式如下:
- 用户创建密码
- 系统使用加密算法)。
登录尝试:
- 用户尝试登录
- 系统使用相同的加密算法创建尝试哈希值
- 系统将尝试的哈希与数据库中的密码的哈希进行比较。
- 如果匹配,他们会进入。如果没有,他们必须重试。
根据我的理解,这种方法受到彩虹攻击 - 其中可能发生以下情况。
攻击者可以编写一个脚本,该脚本基本上尝试每个字符,数字和符号的排列,创建具有相同加密算法的散列,并将它们与数据库中的散列进行比较。
因此,它的方法是将哈希与独特的盐组合。在许多情况下,用户注册的当前日期和时间(直到毫秒)。
但是,这个盐存储在数据库列'salt' p>
所以我的问题是,如何改变事实,如果攻击者首先访问数据库,并为真正的密码创建哈希,有盐的哈希,这是不是只是像彩虹攻击?因为,理论将是他尝试每个排列+ salt哈希并将结果与密码哈希比较。
原谅我的无知,我只是在学习这些东西,这从来没有太多意义盐的主要优点(随机选择)是,即使两个人使用相同的密码,哈希将是不同的,因为盐会不同。这意味着攻击者不能预先计算常用密码的哈希值,因为有太多不同的盐值。
请注意,盐不必保密;它只是必须足够大(64位,说)和随机足够,使用相同的密码的两个人有一个消失的小机会,也使用相同的盐。 (你可以,如果你想,检查盐是唯一的。)
I am learning Rails, at the moment, but the answer doesn't have to be Rails specific.
So, as I understand it, a secure password system works like this:
- User creates password
- System encrypts password with an encryption algorithm (say SHA2).
- Store hash of encrypted password in database.
Upon login attempt:
- User tries to login
- System creates hash of attempt with same encryption algorithm
- System compares hash of attempt with hash of password in the database.
- If match, they get let in. If not, they have to try again.
As I understand it, this approach is subject to a rainbow attack — wherein the following can happen.
An attacker can write a script that essentially tries every permutation of characters, numbers and symbols, creates a hash with the same encryption algorithm and compares them against the hash in the database.
So the way around it is to combine the hash with a unique salt. In many cases, the current date and time (down to milliseconds) that the user registers.
However, this salt is stored in the database column 'salt'.
So my question is, how does this change the fact that if the attacker got access to the database in the first place and has the hash created for the 'real' password and also has the hash for the salt, how is this not just as subject to a rainbow attack? Because, the theory would be that he tries every permutation + the salt hash and compare the outcome with the password hash. Just might take a bit longer, but I don't see how it is foolproof.
Forgive my ignorance, I am just learning this stuff and this just never made much sense to me.
The primary advantage of a salt (chosen at random) is that even if two people use the same password, the hash will be different because the salts will be different. This means that the attacker can't precompute the hashes of common passwords because there are too many different salt values.
Note that the salt does not have to be kept secret; it just has to be big enough (64-bits, say) and random enough that two people using the same password have a vanishingly small chance of also using the same salt. (You could, if you wanted to, check that the salt was unique.)
这篇关于如果使用salt使密码更安全,如果它存储在数据库中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
