使用sha256作为哈希和用用户ID进行腌制 [英] using sha256 as hashing and salting with user's ID
问题描述
我将为我的网站使用sha256,以确保我的用户密码,以及我正在考虑使用用户id(int auto_increment)。这将是唯一的,但不是很长,很难,公共(user.php?id = 1),但它是唯一的,如果其独特的权利? code> hash('sha256',$ id。$ password);
是的,重要的是盐是独一无二的足够的不足),但它也应该有足够的熵(足够随机和足够长)。用户标识不是随机的,可能太短,所以最好的选择是使用随机生成的字符串,并将它们与散列一起存储在数据库中。
假设用户UID 9 选择一个愚蠢的密码: password 。所得到的将被散列的字符串可能会是 9password 。你可以想象,即使在这种情况下,完整的字符串可能出现在彩虹表(表格包含大量和大量哈希以及它们的原始字符串)。
如果在这种情况下salt例如是 OTAzMzYzODQzMjk5NTM1NDc1N ,要被散列的字符串是 OTAzMzYzODQzMjk5NTM1NDc1Npassword ,这在彩虹表中不太可能出现。此外,输入字符串更长,减少暴力攻击的风险。
I'm gonna use sha256 for my site,to secure my users passwords,and as salt i was thinking of usings the users id (int auto_increment). that will be unique but not very long and hard,and public(user.php?id=1) but it just matters if its unique right?
hash('sha256', $id . $password);
Yes, it is important that the salt is unique (collissions sufficiently unlikely), but it should also have enough entropy (be random and long enough). User ids are not random and may be too short, so your best bet is to use randomly generated strings and store them in your database alongside the hash.
Suppose a user with UID 9 chooses a stupid password: password. The resulting string that will be hashed may then be 9password. You can imagine that even in this case, the full string may appear in rainbow tables (tables which contain lots and lots of hashes with their original string).
If the salt in this case would be, for example, OTAzMzYzODQzMjk5NTM1NDc1N, the string to be hashed is OTAzMzYzODQzMjk5NTM1NDc1Npassword, which is a lot more unlikely to appear in rainbow tables. Also, the input strings are a lot longer, reducing the risk of brute force attacks.
这篇关于使用sha256作为哈希和用用户ID进行腌制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
