可以防止字典或暴力攻击？ [英] Can salt prevent dictionary or brute force attacks?

问题描述

我刚刚阅读了文章。而且说：

I just read an article. And it's said:

所以我不是说盐没有目的，我说他们
不防止字典或暴力攻击（他们不会）。

So I’m not saying salts are without purpose, I’m saying that they don’t prevent dictionary or brute force attacks (which they don’t).

如果您有数据库转储，散列密码和盐，你只有在知道crypt算法的时候才能开始暴力。如果您使用开放源代码，那可能是一个问题。但是如果你稍微改变一下算法，这不是问题，直到有人知道。我对吗？

If you have a database dump, with hashed passwords and salts, you can start brute force only if you know crypt algorithm. If you use open source, it can be a problem. But if you change algorithm a little, it's not a problem, until somebody know it. Am I right?

推荐答案

Troy Hunt最近写了一篇很好的文章，我们的密码散列没有衣服，详细介绍了密码散列的演变，包括Salts。

Troy Hunt recently wrote an excellent article, Our password hashing has no clothes, detailing the evolution of password hashing, including Salts.

尽管萨尔茨防止了直接比较预先加入的彩虹表，但他的观点是，硬件已经改善了，将盐应用于未打开的彩色密码，并比较了咸色的哈希现在可以在短时间内完成时间由于摩尔定律。

Although Salts prevented direct comparisons with pre-hashed rainbow tables, his point is that hardware has improved to the point where applying the salt to an unhashed rainbow password and comparing salted hashes can now be done in a short time due to Moore's law.

正如Trickfire所述，使用专有散列算法是通过隐晦的安全性。如果攻击者有你的数据库，他也可能会得到你的应用程序，并拆卸它并获得算法。

As Trickfire states, using a proprietary hashing algorithm is security through obscurity. If the attacker has your database, he will also likely be able to get your app and disassemble it and obtain the algorithm.

这篇关于可以防止字典或暴力攻击？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！