如何安全地存储没有哈希的密码？ [英] How to securely store a password without hashes?

问题描述

我想有一种验证用户的方法（它引入了他的密码），而不用以纯文本存储该密码或甚至以散列的方式存储密码。

我应该这样做吗？

有一个控制字符串，用户密钥可以加密并将其与我存储的加密字符串进行比较是否安全？

解决方案

函数，用随机盐迭代HMAC约100ms的持续时间，并用哈希值保存盐。使用诸如 PBKDF2 ， password_hash ， Bcrypt 和类似的函数功能。关键是让攻击者花费大量时间通过强力查找密码。

请参阅：如何安全地存储您的用户密码

摘自吉姆芬顿的演讲迈向更好的密码要求
基于NIST SP 800-63-3的信息草案文件数字身份验证指南

执行：

 要求最小值为8个字符，最大值> 64，不包含截断值或6个随机数字
使用字典禁止针对10M个受密码字典列表的常用密码
允许所有打印字符（可选Unicode）+空格但可以规范化空间
最好接受Unicode，包括emojis（1字符/代码点）
I want to have a way of authenticating an user (which introduces his password) without having that password stored in plain text or even a hash of it.

How should I do it?

Is it secure to have a control string that the user key can cipher and compare it with the ciphered string that I have stored?
解决方案
Per NIST (National Institute of Standards and Technology):

Use a hash function, iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as PBKDF2, password_hash, Bcrypt and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force.

See: How to store your users’ passwords safely

Excerpted from the presentation "Toward Better Password Requirements" by Jim Fenton
Information based on NIST SP 800-63-3 Draft document "Digital Authentication Guidelines"

  
Do:  


Require an 8 character min, >64 max with no truncation or 6 random digits  
Use a dictionary to disallow common passwords against a dictionary list of 10M compromised passwords  
Allow all printing characters (Unicode optional) + spaces but MAY canonicalize spaces out  
Best to accept Unicode, including emojis (1 "character"/code point) 
                        
这篇关于如何安全地存储没有哈希的密码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！