如何哈希和盐密码 [英] How to hash and salt passwords
问题描述
我意识到这个话题有时被提出来了,但是我发现自己还不完全相信这个话题。
I realize that this topic have been brought up sometimes, but I find myself not entirely sure on the topic just yet.
我想知道你是怎么想的加一个哈希和工作与盐渍哈希?如果密码是用随机生成的盐加密的,那么当用户尝试验证时,我们如何验证呢?我们还需要将生成的哈希存储在数据库中吗?
What I am wondering about how do you salt a hash and work with the salted hash? If the password is encrypted with a random generated salt, how can the we verify it when the user tries to authenticate? Do we need to store the generated hash in our database as well?
有没有什么具体的方法,盐最好应该被生成?哪种加密方式有利于使用?从我所听到的sha256是相当正常的。
Is there any specific way the salt preferably should be generated? Which encryption method is favored to be used? From what I hear sha256 is quite alright.
当用户认证时,是否有一个想法是将哈希值重新盐化?最后一个重要的安全措施是一次又一次的复制?
Would it be an idea to have the hash "re-salted" when the user authenticates? And lastly is it any major security boost to rehash it a bunch of times?
谢谢!
推荐答案
答案是不要自己做。在PHP中使用所有你需要的一行是使用bcrypt。
The answer is to not do it yourself. The one-liner that will do everything you need in PHP is to use bcrypt.
阅读这篇文章,很容易理解并解释你所问的一切: http://codahale.com/how-to-safely-store-a-password/
Read this, it's easy to understand and explains everything you asked: http://codahale.com/how-to-safely-store-a-password/
bcrypt自身考虑了散列,并且可以根据需要配置为复杂,以保持用户密码的完整性,以防止被黑客攻击。
bcrypt takes into account the hashing by itself, and can be configured to be as "complex" as necessary to maintain the integrity of your users' passwords in the event of being hacked.
哦,我们不加密密码,我们把它们哈希。
Oh, and we don't "encrypt" passwords, we hash them.
这篇关于如何哈希和盐密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
