如果我为每个用户使SALT随机,我如何验证他们? [英] If I make the SALT random for each user, how do I authenticate them?
问题描述
我一直在阅读盐渍和哈希密码的好处,但有一件事仍然没有我...
当我为每个人提供随机盐
所以如果我这样做。
HASHPW = PW.RANDOMNUMBER
我可以在数据库中存储随机数,但这似乎杀死了添加盐的整个过程。不是吗?我也可以为每个盐使用一个非随机数字,但是这也杀死了盐的点,因为如果他们弄清楚它们有我所有的用户密码...
谢谢!
它不会破坏独特盐的存储目的。唯一盐的意义在于保护您的整个用户存储库免受攻击,而不是给定的个人用户。如果攻击者损害您的数据库,并且确定足以破解特定用户的帐户,他们将。我们无法做到这一点。但是,他们必须花费过多的计算机时间这么做 - 足够的花费这么多时间在每个用户,因此保护所有的用户是不可行的。与此相比,对所有用户使用相同的盐 - 一旦攻击者有盐,相同的表/进程可以在相对较短的时间内对每个用户重新运行。
I've been reading up on the benefits of salting and hashing passwords, but one thing still eludes me...
When I provide a random salt for each user, how do I then know what the salt was when I try to authenticate them to login?
so if I do..
HASHPW = PW.RANDOMNUMBER
I could store the random number in the database, but that seems to kill the entire point of adding the salt.. doesn't it? I could also use a non random number for each salt, but then that also kills the point of the salt because if they figure it out they have all my users passwords...
I just started learning PHP and MySQL and abstract things like this have been confusing me
Thanks!
It doesn't defeat the purpose of the unique salt to store it. The point of a unique salt is to protect your entire users repository from attack, not a given individual user. If an attacker compromises your database and is determined enough to crack a particular user's account, they will. There's nothing we can do about this. But they would have to spend an inordinate amount of computer time doing so - enough that it would not be feasible to spend that much time on each user - thus protecting all your users. Contrast this with using the same salt for all users - once the attacker has the salt, the same tables/processes can be re-run against every user in a relatively short time.
这篇关于如果我为每个用户使SALT随机,我如何验证他们?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
