如何安全地存储没有哈希的密码? [英] How to securely store a password without hashes?
问题描述
我想有一种验证用户的方法(它引入了他的密码),而不用以纯文本存储该密码或甚至以散列的方式存储密码。
我应该这样做吗?
有一个控制字符串,用户密钥可以加密并将其与我存储的加密字符串进行比较是否安全?
函数,用随机盐迭代HMAC约100ms的持续时间,并用哈希值保存盐。使用诸如
PBKDF2
, password_hash
, Bcrypt
和类似的函数功能。关键是让攻击者花费大量时间通过强力查找密码。 请参阅:如何安全地存储您的用户密码
摘自吉姆芬顿的演讲迈向更好的密码要求
基于NIST SP 800-63-3的信息草案文件数字身份验证指南
执行:
要求最小值为8个字符,最大值> 64,不包含截断值或6个随机数字
使用字典禁止针对10M个受密码字典列表的常用密码
允许所有打印字符(可选Unicode)+空格但可以规范化空间
最好接受Unicode,包括emojis(1字符/代码点)I want to have a way of authenticating an user (which introduces his password) without having that password stored in plain text or even a hash of it.
How should I do it?
Is it secure to have a control string that the user key can cipher and compare it with the ciphered string that I have stored?
解决方案 Per NIST (National Institute of Standards and Technology):
Use a hash function, iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as PBKDF2
, password_hash
, Bcrypt
and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force.
See: How to store your users’ passwords safely
Excerpted from the presentation "Toward Better Password Requirements" by Jim Fenton
Information based on NIST SP 800-63-3 Draft document "Digital Authentication Guidelines"
Do:
Require an 8 character min, >64 max with no truncation or 6 random digits
Use a dictionary to disallow common passwords against a dictionary list of 10M compromised passwords
Allow all printing characters (Unicode optional) + spaces but MAY canonicalize spaces out
Best to accept Unicode, including emojis (1 "character"/code point)
这篇关于如何安全地存储没有哈希的密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!