密码盐:其他最佳实践 [英] Password Salt: Additional Best Practices
问题描述
像大多数程序员一样,我不是密码学专家,但我理解基础。但是,有些知识可能是一件危险的事情,如 Jeff的博客文章。考虑到这一点,我理解盐值的目的,但我需要一点帮助来了解如何使用盐值。
Like most programmers, I am not an expert on cryptography but I understand the basics. However, a little knowledge can be a dangerous thing, as noted in Jeff's blog post. With that in mind, I understand the purpose of a salt value but I need a little help understanding how to use salt values.
在这个主题的其他帖子中,最好对每个要加密的密码使用随机盐值。如果是这种情况,当我尝试验证用户时,如何重现随机盐值?在这种情况下,我将加密用户提供的明文密码,加密它,并将其与存储在数据库中的密码进行比较。在创建密码时,是否将随机盐值与加密密码一起存储在用户记录中?如果一个黑客有完整的用户记录,那么这会使盐值无用吗?
I've read in the other posts on this subject that it is best to use a random salt value for each password to be encrypted. If this is the case, how do I reproduce that random salt value when I attempt to authenticate a user? In this scenario I would encrypt the plaintext password supplied by the user, encrypt it, and compare it to what is stored in the database. Do I store the random salt value on the user record along with the encrypted password when the password is created? Does this then make the salt value useless if a hacker has the complete user record?
推荐答案
salt的主要目的是防止在破解密码哈希时使用彩虹表 - 不使用盐,可以只需使用预先生成的反向查找表来查找哈希,并立即知道可能产生的密码。
The primary purpose of a salt is to prevent the usage of rainbow tables when cracking password hashes - without the usage of a salt, one could simply use a pre-generated reverse-lookup table to find the hash and immediately know what password likely generated it.
使用salt,彩虹表方法被击败,因为散列对密码的映射对于该特定的盐是完全不同的 - 因此,对于每个盐值,必须单独地生成彩虹表(并且生成彩虹表所花费的时间与暴力强制散列所花费的时间成比例)没有彩虹表的帮助首先)。
With a salt, the rainbow table approach is defeated because the mapping of hashes to passwords is completely different for that particular salt - and thus one would have to generate rainbow tables individually for every salt value (and the time it takes to generate rainbow tables is proportional to the time it would take to brute force the hash without the assistance of the rainbow table in the first place).
由于salt用于不允许使用预生成的彩虹表,无论是否攻击者知道给定用户条目的具体盐,没有真正理由单独存储,只要每个条目使用独特的盐。
Since the salt serves its purpose in not allowing the usage of a pre-generated rainbow table regardless of whether the attacker knows the specific salt for a given user's entry or not, there's no real reason to store it separately, as long as you're using unique salts for each entry.
这篇关于密码盐:其他最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
