密码哈希和盐渍 - 这是一个很好的方法吗? [英] Password hash and salting - is this a good method?
问题描述
我正在为处理密码哈希和盐析的不同方法进行一些研究或谷歌搜索,并发现了这个有趣的链接:
I was doing a little research or googling for different methods of handling password hashing and salting and came across this interesting link:
现在,这个建议基本上是创建两个用户功能,一个用于哈希,一个用于检查哈希。
Now, essentially what this proposes is the creation of two user functions, one for hashing and one for checking the hash.
盐是伪随机的,但实际上是基于密码(打击我是坏的)。
The salt is pseudo random but is in actual fact based upon the password (strikes me as bad?).
散列函数也随机地在散列字符串中洒盐。
The hashing function also pseudo randomly "sprinkles" the salt amongst the hash string.
哈希检查功能反转了盐洒,然后进行了实际的哈希检查。
The hash checking function reverses the salt sprinkling and then the actual hash check takes place.
现在,我知道每个密码哈希的唯一的盐是好的,但也有逻辑哈希密码并创建存储在数据库函数中的盐可能=不好。
Now, I'm aware that unique salts for each password hash = good, but also that having the logic to hash the passwords and create the salt stored in a db function might = bad.
我喜欢这样的想法:盐不是很明显,也不需要基于一些希望一致的价值,如用户名,用户标识,出生日期等,但正如我所说,我对我们的实施感到疑惑。
I like the idea that the salt isn't obvious and that it also needn't be based on some hopefully consistent value such as username, userid, date of birth etc, but as I said I do have my doubts as to the implementation.
那么,人们对最佳方法解决方案的看法和想法是什么? / p>
So, what are people's opinions and ideas of "best approach solutions"?
推荐答案
盐的目的是使用彩虹表非常昂贵,所以尝试1几乎解决了这个问题。在密码上加盐消除了打破彩虹表的可变性,并尝试将其隐藏在散列密码字段中是毫无意义的。
The purpose of a salt is to make the use of a rainbow table prohibitively expensive, so Attempt 1 pretty much solves the problem correctly. Basing the salt on the password eliminates the variability that defeats rainbow tables, and trying to hide it in the hashed password field is just pointless.
这篇关于密码哈希和盐渍 - 这是一个很好的方法吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
