这是一个安全的方式来散列密码？ [英] Is this a secure way to hash a password?

问题描述

您可否告诉我，以下是安全散列密码以存储在数据库中的好方法：

Could you please tell me if the following is a good way to securely hash a password to be stored in a database:

    public string CreateStrongHash(string textToHash) {

        byte[] salt =System.Text.Encoding.ASCII.GetBytes("TeStSaLt");

        Rfc2898DeriveBytes k1 = new Rfc2898DeriveBytes(textToHash, salt, 1000);
        var encryptor = SHA512.Create();
        var hash = encryptor.ComputeHash(k1.GetBytes(16));

        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < hash.Length; i++) {
            sb.Append(hash[i].ToString("x2"));
        }

        return sb.ToString();

    }

提前致谢。

Many Thanks in advance.

推荐答案

您使用PBKDF2-SHA1，虽然体面但不是很好。 Bcrypt更好一点，而且scrypt更强。但是由于.net已经包含了一个内置的PBKDF2实现，这是一个可以接受的选择。

You use PBKDF2-SHA1, which is decent but not great. Bcrypt is a bit better, and scrypt is even stronger. But since .net already includes a built in PBKDF2 implementation, that's an acceptable choice.

你最大的错误是你没有得到一个盐的点。盐对每个用户都应该是唯一的。简单地创建至少64位的随机值是标准做法。将它与散列一起存储在数据库中。

Your biggest mistake is that you didn't get the point of a salt. A salt should be unique for each user. It's standard practice to simply create a random value of at least 64 bits. Store it together with the hash in the database.

如果您愿意，可以将盐分成两部分。一个存储在用户旁边的数据库中，每个数据都不同，另一个共享部分存储在别处。这得益于两者的优点。

If you want to, you can split the salt into two parts. One stored in the database alongside the user, which is different for each, and one shared part stored elsewhere. This gains the the advantages of both.

我还建议使用比 1000 更高的工作因子。找出可接受的性能，然后进行相应的调整。我不会低于10000，在某些情况下（磁盘加密），也可以接受一百万。

I also recommend using a higher workfactor than 1000. Figure out what performance is acceptable, and adjust accordingly. I wouldn't go below 10000, and in some situations(disk encryption) a million is acceptable too.

这篇关于这是一个安全的方式来散列密码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！