使用用户密码的散列版本来腌制与使用预定义字符串一样安全? [英] Is salting with a hashed version of the user's password just as secure as salting with a pre-defined string?
问题描述
是这样的:
$ pass =pass ;
$ salt = sha1(md5($ pass));
$ pass = md5($ pass。$ salt);
如此安全?
$ pass =pass;
$ salt =4D9ds * ^ dkrUI45 ^#dkd * 3fD8&!dlvd *;
$ pass = md5($ pass。$ salt);
第一个示例与哈希法一样安全,因为它仍然只需要密码,而不需要破解任何东西。换句话说,你只是将散列函数应用于同一事物几次。
更好的办法是为每个用户创建一个salt并存储它旁边,分开。我猜,对于每个人来说固定的盐是可以的,因为你不能使用密码来确定盐。然而,为每个用户生成一个独特的盐更好,因为那样会比用密码破解它更多的信息(例如用户名,注册日期或其他信息)。
Basically, what I'm asking is if salting a password by appending a hashed version of it to the end of it is just as secure as salting with a different string. So:
Is this:
$pass = "pass";
$salt = sha1(md5($pass));
$pass = md5($pass.$salt);
As secure as this?
$pass = "pass";
$salt = "4D9ds*^dkrUI45^#dkd*3fD8&!dlvd*";
$pass = md5($pass.$salt);
The first example is as secure as hashing without using any salt at all, because it still just requires the password and nothing more to crack. In other words, you are just applying the hashing functions to the same thing a few times more.
A better bet is still to create a salt for each user and store it alongside, separately. A fixed salt for everyone is alright, I guess, because you cannot use the password to determine the salt. However, generating a unique salt for each user is even better because then it would take more information than just the password to crack it (e.g. username, date registered, or some other info).
这篇关于使用用户密码的散列版本来腌制与使用预定义字符串一样安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
