多密码哈希 [英] Multiple Password Hash
问题描述
我目前正在研究一个需要高度安全性的Web应用程序,并且我一直在考虑密码处理。我应该使用哈希密码,并且有足够大的盐量,但是使用不同的salt或不同的算法多次哈希密码会有好处吗?
我不是指你应该多次散列密码来生成密码哈希,如 Hash(Hash(Hash(salt + psw)))= pswhash ,但我正在考虑使用 Hash(Hash(Hash(salt1 + psw)))= pswhash1 和 Hash(Hash(Hash(salt2 + psw)))= pswhash2 ,然后在登录时进行比较。
使用此例程,攻击者不仅必须找到一个可生成pswhash的密码,而且还必须能够正确生成两个哈希值的密码。这样,碰撞的可能性几乎为零,但攻击者可以使用第二个散列值来确定第一个散列表的密码是否正确。
其他信息关于申请:
申请主要是我们公司的内部申请。 Alla连接使用https处理,所有用户名对于此应用程序都是唯一的(因为您不能选择您的用户名),并且所有密码对于此应用程序都是唯一的(随机生成的,您不能选择它们)。我们主要担心有人在我们能够做出反应之前未经授权访问系统。如果我们有时间回应他们能够找到确切密码的事实并不是什么大事。
使用一种久经考验的技术 - 例如, PBKDF2 - 而不是尝试滚动你自己的。
I'm currently working on a Web app that requires a high level of security and I've been thinking about the password handling. That I should use a hashed password, with a large enough salt is a given, but would it be a benefit to hash the password multiple times with different salts or different algorithms?
I'm not referring to the fact that you should hash the password multiple times to generate your password hash like Hash(Hash(Hash(salt + psw)))=pswhash, but instead I'm thinking about using Hash(Hash(Hash(salt1 + psw)))=pswhash1 and Hash(Hash(Hash(salt2 + psw)))=pswhash2, and then comparing to both upon login.
Using this routine an attacker mustn't only find one password that generates pswhash, but a password that must generate both hashes correctly. This way the possibility of an collision is virtually nil, but the attacker can use the second hash to determine if a password from the first hash is correct or not.
Additional information about the application: The application is primarily an internal application for our company. Alla connections are handled with https, all usernames are unique for this application (ergo you can't choose your username) and all passwords are unique for this application (random generated, and you can't choose them). We are primarily concerned that someone gains unauthorized accesses to the system before we can react. If we have time to react the fact that "they" can find the exact password isn't that big a deal.
Use a tried-and-tested technique -- for example, PBKDF2 -- rather than trying to roll your own.
这篇关于多密码哈希的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
