为什么MD5仍然被广泛使用 [英] Why is md5 still widely used
问题描述
好的,我是在编写一个小应用程序的过程中,其中一部分将涉及哈希用户密码。研究出最好的方法后,md5就成了一个建议,几乎与批评它的使用的文章一样多。
其他选择就像是SHA -1等等,它们更强,更不容易被破解。这非常合理。
为了说明问题:
- 为什么md5仍然广泛用于哈希
- 我应该自动将md5折算为哈希密码,还是存在特定的使用情况,其使用情况实际上会比其他哈希机制好?
MD5和SHA-1都不能用于哈希密码。它们被设计为快速计算,这正是你不想要的。如果人们将这些散列算法用于散列密码,很可能是因为他们不知道替代方案。
相反,您应该使用类似 bcrypt ,专门为此目的而设计的。它可以根据需要配置为难以计算。随着计算机变得越来越快,您可以在计算中添加更多轮次以使其花费更长时间。这会减缓攻击者的持有哈希值,并尝试使用强力或基于字典的攻击获取密码。
相关
First, i should say that I am relatively new to programming so please be gentle with me if this is a naive or dumb question.
Ok, so I am in the process of writing a small application, part of which will involve hashing user passwords. After researching the best way to do this, md5 appears as a suggestion, almost as many times as it appears in articles criticizing its use.
The alternatives are the likes of SHA-1 etc which are stronger and less likely to be cracked. This makes perfect sense.
To get to the point:
- Why is md5 still widely used for hashing
- Should I automatically discount md5 for hashing passwords, or are there specific use cases where its use would actually be better than other hashing mechanisms?
Neither MD5 nor SHA-1 should be used for hashing passwords. They are designed to be fast to compute, which is exactly what you don't want. If people are using these hashing algorithms for hashing passwords, it's likely because they don't know about alternatives.
Instead you should be using something like bcrypt that is designed specifically for this purpose. It can be configured to be as hard to compute as you need. As computers get faster you can just add more rounds to the computation to make it take longer. This will slow down attackers who get hold of the hashes and try to use brute-force or dictionary based attacks to get the passwords.
Related
这篇关于为什么MD5仍然被广泛使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!