我应该对表中的密码字段使用什么; MD5还是SHA1? [英] What should I use for password fields in a table; MD5 or SHA1?
问题描述
我绝不是一个安全专家,甚至一个新手。我是安全最好的新手。
有人建议我使用SHA1而不是MD5 - 为什么我会选择一个?
我最少使用SHA2(256),但是:
由于在数据库中简单地对密码进行哈希处理很少或没有任何意义彩虹表攻击。同样,salted哈希更好,但如果有人访问您的数据库,那么很可能他们有权访问您的代码,在这种情况下,他们可能拆卸一个固定的盐。同样,如果你使用随机盐,那么你将它存储在行内,所以虽然它减慢了人们,他们仍然可以用彩虹表攻击它。
更好的解决方案是使用密码拉伸,它使用随机盐以及随机(高的)迭代次数,所以试图对每个密码进行暴力攻击需要大大的更长时间,因此实际上更难破解所有的密码。
我相信。网络这可以使用PBKDF实现 - 但我错过了一个链接(有人提供给我一个问题,我问一个问题的答案)。 EDIT - 找到.Net 的链接: 在MD5上
I am by no means a security expert or even a novice. I'm a newbie at security at best.
Someone suggested I use SHA1 instead of MD5 - why would I choose one over the other? Is one more secure?
I would use SHA2(256) at the minimum - however:
There is little or no point in simply hashing a password in a database due to rainbow table attacks. Equally, salted hashing is better, but if someone has access to your database, then the chances are that they have access to your code in which case they can probably disassemble a fixed salt. Equally, if you use a random salt, then you're storing it inside the row anyway, so while it slows people down they can still attack it with a rainbow table.
A better solution is to use Password Stretching which uses a random salt as well as a random (high) number of iterations so that attempting a brute-force attack against each password takes significantly longer and therefore makes it physically harder to crack all the passwords.
I believe in .Net this can be achieved using PBKDF - but I've mislaid a link to it (somebody supplied it to me an answer to a question I asked a while ago). EDIT-Found the link for .Net: Rfc2898DeriveBytes Class.
On MD5
Whilst MD5 has indeed been shown to be 'broken' as mentioned by the other answers, the main reason why I wouldn't use it - and why I've read that it's inadvisable to use it - is because it's actually very fast, thereby increasing the possibility of a crack within a given period of time.
这篇关于我应该对表中的密码字段使用什么; MD5还是SHA1?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
