使用数据哈希作为盐 [英] Using a hash of data as a salt

问题描述

我想知道 - 使用某物的哈希作为自己的盐是否有什么缺点？

I was wondering - is there any disadvantages in using the hash of something as a salt of itself?

例如。 hashAlgorithm（data + hashAlgorithm（data））

E.g. hashAlgorithm(data + hashAlgorithm(data))

这可以防止查找表的使用，并且不需要在数据库中存储salt。如果攻击者不能访问源代码，他将无法获得算法，这将使暴力更加困难。

This prevents the usage of lookup tables, and does not require the storage of a salt in the database. If the attacker does not have access to the source code, he would not be able to obtain the algorithm, which would make brute-forcing significantly harder.

想法？ （我有一个直觉，这是坏的 - 但我想检查是否真的是，如果是，为什么。）

Thoughts? (I have a gut feeling that this is bad - but I wanted to check if it really is, and if so, why.)

推荐答案

如果攻击者无法访问源代码

If the attacker does not have access to the source code

这称为 security through obscurity ，这总是被视为不好。一个固有的安全方法总是更好，即使唯一的区别在于你不觉得保存因为他们不知道。有人可以并将永远找到算法 - 通过仔细分析，试错法，或者因为他们通过SSH到共享托管服务或任何其他一百种方法找到源。

This is called "security through obscurity", which is always considered bad. An inherently safe method is always better, even if the only difference lies in the fact that you don't feel save "because they don't know how". Someone can and will always find the algorithm -- through careful analysis, trial-and-error, or because they found the source by SSH-ing to your shared hosting service, or any of a hundred other methods.

这篇关于使用数据哈希作为盐的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！