每次登录时覆盖用户的密码哈希值并覆盖原始值会有用吗? [英] Would re-salting the user's password hash every time they log in and overwriting the original be useful?
问题描述
用户输入他们的密码,并提交登录表单。密码被发送到服务器,运行身份验证,并且散列的密码与存储在数据库中的密码匹配。
这是我想知道的地方。我想知道的是,如果这种情况是有用的:
用户的密码然后用一个新的随机salt重新哈希,并且存储在数据库中的原始哈希被覆盖。下次用户登录时,他们仍然输入完全相同的密码,但正在检查不同的散列。
请让我知道这是否会更安全到密码散列。
编辑
我写了这个问题非常糟糕....我一直在研究使非SSL登录脚本更加安全的方法,并且在通过发布数据发送密码之前使用javascript对密码进行散列。这让我觉得这是一个半体面的想法,但如果黑客截获散列后的数据是毫无意义的,因为他可以使用散列发送虚假的发布数据。我不得不考虑每次使用新的盐重新散列通行证,所以黑客每次他想访问该用户的帐户时都不得不重新嗅探连接。
通过这种方式,如果受害者计算机上没有密钥记录器或某种客户端软件,黑客就无法访问客户端的密码,因此只能访问一个会话一旦用户登录,哈希会改变黑客在用户再次登录以获取新哈希时必须监听的内容。
因此,每个攻击者谁设法读取数据库将有另一组哈希值暴力。但是,当其中一个哈希被破坏时(例如,您发现密码与salt一起给出了给定的哈希),它很可能是原始密码,并且即使数据库中的salt和哈希值更改,它仍将继续工作后来。
所以,这里的安全性没有变化。
A user enters their password, and submits the login form. The password is sent to the server, authentication is run, and the hashed password matches the one stored in the database.
This is where what I am wondering comes into play. What I want to know is if this scenario would be useful:
The user's password is then re-hashed with a new random salt, and the original hash stored in the database is overwritten. Next time the user logs in, they still enter the exact same password, but a different hash is being checked.
Please let me know if this would be a more secure approach to password hashing.
EDIT
I wrote this question very poorly.... I have been researching methods to make non-SSL login scripts more secure, and came upon an idea to use javascript to hash the password before it was sent via post data. This struck me as a semi-decent idea, except it would be pointless if the hacker intercepted the hashed post data, because he could just sent fake post data from then on using the hash. I got to thinking about re-hashing the pass with a new salt every time, so the hacker would have to continuously re-sniff the connection every time he wanted access to that user's account.
This way, without a key-logger or some sort of client-side software on the victim's computer, a hacker wouldn't be able to get access to the client's password, and thus would only be able to access one session at a time, as soon as the user logged in, the hash would change the the hacker would have had to been listening when the user logged in again to get the new hash.
The only difference I can see here is that the salted hashes in the database would change regularly.
So, each attacker who somehow manages to read the database would have another set of hashes to bruteforce. But, when one of the hashes is broken (e.g. you found a password which together with the salt gives the given hash), it most probably is the original password, and it will continue to work even if the salt and hash in the database changes later.
So, no change in security here.
这篇关于每次登录时覆盖用户的密码哈希值并覆盖原始值会有用吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
