[英]Hash (with Spring) and salt: is this safe?
I've a Spring based web app, so I came up using spring-security-3.0.8 (I know, that's not a good reason, lol) and I find out the PasswordEncoder class. 我有一个基于Spring的Web应用程序,因此我使用了spring-security-3.0.8(我知道,这不是一个很好的理由,哈哈),我找到了PasswordEncoder类。 In my case I'm using the Md5PasswordEncoder, but I'm not sure if could be the best implementation. 就我而言,我使用的是Md5PasswordEncoder,但是我不确定是否可能是最好的实现。
http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/authentication/encoding/PasswordEncoder.html http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/authentication/encoding/PasswordEncoder.html
The salt is generated by a SecureRandom. 盐是由SecureRandom生成的。
The whole code is something like this: 整个代码是这样的:
String salt = new BigInteger(130, random).toString(32);
user.setSalt(salt);
user.setPassword(passwordEncoder.encodePassword(user.getPassword(), salt));
db.save(user);
I don't really need big security but it's just for knowledge's sake. 我实际上并不需要很大的安全性,但这只是出于知识的缘故。 :) :)
(what about making the salt big as the hash putting the bit to 160?) (如何使盐大如哈希将位增加到160?)
For improved security you might want to consider jBCrypt or scrypt . 为了提高安全性,您可能需要考虑使用jBCrypt或scrypt 。 Spring Security 3.1 supports BCrypt out of the box. Spring Security 3.1 开箱即用地支持BCrypt 。
Further universally valid information can be found in the post Secure hash and salt for PHP passwords . 在PHP密码的Secure hash和salt中可以找到更多的通用有效信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.