如果可以访问数据库,那么盐和哈希的要点是什么? [英] What is the point of salt and hashing if database is accessible?
问题描述
散列它是哈希的概念(嘿!不要忘记盐!)并使用salt来保证密码。单向加密(实际上不是加密,但散列),所以它不能被颠倒设计。 Salting是在散列之前为密码添加随机创建的值的前缀或附加值,因为散列问题(哈希)是,某些天才提供了字典中的单词哈希表,以便他们将该字典中的散列用户的表从数据库登录 - W等待?我是否从数据库中说出表格?那意味着有人可以访问数据库,所以我们必须使用salt?如果是这样,那么黑客为什么会恢复密码,如果他已经有权访问数据库?如果我是他,我只是从数据库中获得所有我想要的细节,为什么我要用我从房子里偷来的钥匙打开房门,如果我已经可以通过窗户进入房子?
那么,为什么哈希?为什么要盐?我不明白。请注意,有人帮助我。
预先致谢。
重要说明:我不反对哈希或salting,我只是想澄清事情。 ,那么为什么黑客会在他已经访问数据库的情况下恢复密码?
原因很多。这里有几个:人们重新使用他们的密码,所以不泄漏每一个真正的密码,都会限制这种攻击的影响。 / p> 如果没有真正的密码,黑客仍然无法登录,比如在黑客入侵的系统上发布新条目。 谁说全部信息存储在数据库中?如果数据库仅由用户名和哈希/盐渍密码组成,该怎么办?然后,知道这些内容并没有什么帮助。
I just learned the concept of hashing ("Hey! don't forget the salt!") and using salt to make the password secured.
Hashing it is a one way encryption (actually not encryption but hashing) so it cannot be reversed engineered. Salting is prefixing or appending randomly created values to the password before hashing 'coz the problem in hashing (just hashing) is, some genius has provided a hash table of words from the dictionary so that they'll just compare the hash from that dictionary to the user's table from the database to login - W-wait? did I say table from the database? So it means somebody can access the database so we have to use salt? If that so, then why would the hacker recover the password if he already has access to the database? If I were him, I'll just get all the details I want from the database, why would I use the key I've stolen from a house to open the door if I can access the house already through the window?
So, why hash? why salt? I don't understand. Please, somebody help me.
Thanks in advance.
Important Note: I'm not against hashing or salting, I just want to clarify things.
If that so, then why would the hacker recover the password if he already has access to the database?
Reasons are many. Here are a few:
People reuse their passwords, so not leaking everybodys real passwords does limit the impact of such attack.
Without the real passwords, the hacker will still not be able to log in and, say, post new entries on the hacked system.
Who says all information is stored in the database? What if the database solely consisted of the user name and hashed/salted passwords? Then, knowing the content doesn't help much.
这篇关于如果可以访问数据库,那么盐和哈希的要点是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
