我应该使用什么算法将密码加入我的数据库？ [英] What algorithm should I use to hash passwords into my database?

问题描述

解决方案

这个2008年的答案现在已经过时了。 SHA（所有变体）现在都是微不足道的，最好的做法是（截至2013年1月）使用按键拉伸哈希PBKDF2）或理想的RAM密集型（如 Bcrypt ），并添加每用户盐。

第2,3和4点仍然值得关注。

请参阅 IT Security SE网站。

---

原始2008年答案：

1. 使用成熟的算法。 SHA-256在数据库中使用64个字符，但在列上的索引不是问题，它是经过验证的散列，比MD5和SHA-1更可靠。它也在大多数语言中实现，作为标准安全套件的一部分。但是，如果您使用SHA-1，请不要感到不舒服。




2. 不要只是哈希密码，而是将其他信息放在其中。您经常使用username：password：salt或类似的哈希值，而不是仅仅是密码，但是如果你玩这个，那么你更难以运行字典攻击。




3. 安全是一个艰难的领域，不要以为你可以发明自己的算法和协议。




4. 不要写日志[AddUser] GeorgeBush的哈希：Rep4Lyfe：ASOIJNTY是xyz

Is there anything available that isn't trivially breakable?

解决方案

This 2008 answer is now dangerously out of date. SHA (all variants) is now trivially breakable, and best practice is now (as of Jan 2013) to use a key-stretching hash (like PBKDF2) or ideally a RAM intensive one (like Bcrypt) and to add a per-user salt too.

Points 2, 3 and 4 are still worth paying attention to.

See the IT Security SE site for more.

---

Original 2008 answer:

1. Use a proven algorithm. SHA-256 uses 64 characters in the database, but with an index on the column that isn't a problem, and it is a proven hash and more reliable than MD5 and SHA-1. It's also implemented in most languages as part of the standard security suite. However don't feel bad if you use SHA-1.

2. Don't just hash the password, but put other information in it as well. You often use the hash of "username:password:salt" or similar, rather than just the password, but if you play with this then you make it even harder to run a dictionary attack.

3. Security is a tough field, do not think you can invent your own algorithms and protocols.

4. Don't write logs like "[AddUser] Hash of GeorgeBush:Rep4Lyfe:ASOIJNTY is xyz"

这篇关于我应该使用什么算法将密码加入我的数据库？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！