我为什么要关心哈希密码呢? [英] Why should I care about hashing passwords anyway?
问题描述
如果黑客可以访问我的数据库中的哈希值,他可以访问数据库中的其余信息。那么为什么他会试图解密密码?我应该将其他服务器上的密码存储到我的其余数据吗?这是我可以设想它有用的唯一场景。
If a hacker has access to the hashes in my DB, he has access to the rest of the information in the DB anyways. So why would he bother trying to decrypt the passwords? Should I be storing the passwords on a different server to the rest of my data? That is the only scenario in which I can envision it being useful.
推荐答案
-
有时,黑客没有完全访问您的数据库。有时,他们会发现一些SQL注入孔或其他弱点,有人没有正确编码,所以他们只能做简单的事情,首先一次打印出一个数据库。如果他们可以打印真实的密码,突然之间就会变得更糟。
Sometimes a hacker doesn't get full access to your DB. Sometimes they find a little SQL injection hole or other weakness that someone didn't code correctly, and so they can only do simple things at first like print out database cells one at a time. If they can print out a real password all of a sudden things get much worse.
数据库通常备份到磁带,有时磁带丢失或甚至刚刚被抛弃。如果一个黑客可以访问这样的快照,他可以学到很多关于你的系统。但是如果密码仍然是哈希,他也不能使用系统做恶意的事情,比如以不同的用户身份登录,开始改变事情。更糟糕的是,大多数用户在许多系统中保留一个或几个密码。在转储中找到旧的备份磁带可能是其他帐户的金矿,即使磁带用于已停产的系统。
Databases are usually backed up to tape, and sometimes those tapes are lost or even just thrown away. If a hacker gets access to a snapshot like this he can learn a lot about your system. But if the passwords are still hashed he can't also use the system to do something malicious, like log in as a different user and start changing things. Even worse, most users keep one or a few passwords across many systems. Finding an old backup tape in the dump can be a goldmine for other accounts, even if the tape is for a defunct system. Properly hashed passwords protect against this.
我听说大多数黑客都是内部的工作。更好地消除您信任的人以其他人身份登录的能力。
I've heard that most hacks are an inside job. Better to remove the ability even for people you trust to log in as others.
如果你认为这样的事情不要发生,再和老兄谈话。
If you think this kind of thing doesn't happen, go talk to the guys at reddit.
这篇关于我为什么要关心哈希密码呢?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
