如果用于密码哈希的盐“散落”也？ [英] Should the Salt for a password Hash be "hashed" also?

问题描述

我认为这可能是一个愚蠢的问题，但是我对这个应该在这里做的最好的事情变得很困惑。

注意：我在SHA-256中加了一个密码，而Salt是一个预定义的字符串，因为只有一个密码将永远一次存储。

TIA

Chris（Shamballa）。

解决方案

没关系。

盐的目的是防止预计算攻击

无论哪种方式，将盐分散或自己使用，都会导致每次添加相同的数据作为盐。如果你把盐混合在一起，所有你正在做的就是改变盐。首先通过散列，将其转换为不同的字符串，然后将其用作盐。没有理由这样做，但如果你这样做，它不会做任何错误。

你只需要一致，每次使用相同的方法，或者你会最终使用不同的密码哈希。

This I think may be a silly question, but I have become quite confused on what I should do here for the best.

When salting a password hash, should the salt also be hashed or left as plaintext?

NOTE: I am hashing a password in SHA-256 and the Salt is a pre defined string as only one password will ever be stored at a time.

TIA

Chris (Shamballa).

解决方案

It doesn't matter.

The purpose of a salt is to prevent pre-computation attacks.

Either way, hashing the salt or using it by itself, results in the same data being added as a salt each time. If you hash the salt, all you are effectively doing is changing the salt. By hashing it first, you convert it into a different string, which is then used as the salt. There is no reason to do this, but it will not do anything wrong if you do.

You just need to be consistent and use the same method every time or you will end up with a different password hash.

这篇关于如果用于密码哈希的盐“散落”也？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！