盐和哈希，为什么不使用用户名？ [英] Salt and hashing, why not use username?

问题描述

我必须承认大部分对Web应用程序相关的高科技安全问题基本无知，但有一件事我至少认为我可以问，因为这是一个直接问题（希望）有一个具体的答案。

访问此网站： http：// www.15seconds.com/issue/000217.htm

它显示了他们将盐值存储在表格中的一些信息，我了解其原理和使用盐的数学背后的数学，但我想知道这个：

• 为什么他们不只是使用用户名作为salt值而不是生成一个？

解决方案

一个随机盐，所以他们散布你的哈希围绕不到一个适当的盐。

不是那个页面上的例子是非常壮观的反正。我总是生成一个GUID并使用它。

我怀疑现实生活中的安全问题已经降低了，即使是非常小的数量用盐对安全性有很大的影响，随着盐变得越来越复杂，只有非常小的改进。

I must confess to being largely ignorant on most of the high-tech security issues relevant for web applications, but there is one thing I at least thought I could ask because it is a direct question with (hopefully) a concrete answer.

Take this website: http://www.15seconds.com/issue/000217.htm

It shows a bit down that they store the salt value in the table, I understand the principles and the math behind using a salt, but I'm wondering this:

• Why did they not just use the username as a salt value instead of generating one?

解决方案

Because user names have lower entropy than a random salt, so they spread your hashes around less than a proper salt does.

Not that the example on that page is very spectacular anyway. I always just generate a GUID and use that.

I suspect it's all down in the noise as far as real-life security is concern, and even quite small amounts of per-user salt make a big difference to security, with very small improvements as the salt gets more complex.

这篇关于盐和哈希，为什么不使用用户名？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！