堆栈内存溢出
  简体   繁体   English

如何验证使用随机盐进行哈希处理的密码?

[英]How do I verify a password which is hashed using a random salt?

 原文  2014-10-22 11:04:52       javascript/ sha256/ owasp/ penetration-testing/ saltedhash

问题描述

I am developing a web application. 我正在开发一个Web应用程序。 Now from security perspective, salted hashing is required for the password while it is sent from client to server. 现在从安全角度来看,密码在从客户端发送到服务器时需要盐水哈希。 Now my problem is, if I randomly generate a salt, append it to the password and hash the combination, how would this password be verified. 现在我的问题是,如果我随机生成一个盐,将它附加到密码并散列组合,将如何验证此密码。 As the salt generated is at random, hash of the salt+password combination would be different every time. 由于生成的盐是随机的,盐+密码组合的哈希每次都会不同。 If I send the same salt generated along with user credentials to the server, this will expose the salt. 如果我将与用户凭据一起生成的相同salt发送到服务器,则会暴露盐。 Exposed salt will create similar trouble as person trying to crack the password can append the exposed salt with different passwords to get the hash and match it. 暴露的盐会产生类似的麻烦,因为试图破解密码的人可以使用不同的密码附加暴露的盐来获取哈希并匹配它。 I have checked numerous websites and question on stack overflow but nothing matched my need exactly. 我已经检查了很多网站和堆栈溢出问题,但没有任何东西完全符合我的需要。

There are tools that can read the memory of browser and steal passwords entered. 有些工具可以读取浏览器的内存并窃取输入的密码。 Therefore salted hashing is required at client side also. 因此,客户端也需要盐渍散列。

2 个解决方案

解决方案1
 3  2014-10-22 11:08:44

You have to keep the salt on the server side of the code. 您必须将salt保留在代码的服务器端。

When you authenticate a user, you send the password to the server. 对用户进行身份验证时,将密码发送到服务器。 The server appends the salt and then hashes the password. 服务器附加salt然后哈希密码。 The salt should be stored somewhere in the serverside code or in the database. salt应该存储在服务器端代码或数据库中的某个位置。

You should never send the salt to the client side of the application. 永远不应将salt发送到应用程序的客户端。

解决方案2
 3  2014-10-22 11:49:01

There's no problem to keep the salt on database. 将盐保存在数据库上没有问题。 The salt is only there to make sure an attacker don't use some table that has a lot of calculated hashs and its corresponding passwords to find out the passwords of your compromised database. 盐只是为了确保攻击者不会使用一些具有大量计算哈希值的表及其相应的密码来查找受感染数据库的密码。 With salt the only option for attackers is brute force. 对于盐,攻击者的唯一选择是蛮力。

So, to make it harder for attackers to brute force and find out the passwords from hashs I suggest a long and secure random salt for each user. 因此,为了让攻击者更难以蛮力并从哈希中找出密码,我建议为每个用户提供长而安全的随机盐。

Good explanation can be found on Why do we use the "salt" to secure our passwords? 可以找到很好的解释为什么我们使用“盐”来保护我们的密码?

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用JavaScript将密码随机盐化并从C#进行验证 - Hash password with random salt using JavaScript and validate from C# 如果我更改我的服务器 bcrypt 可以记住加盐和解密密码,怎么办? - If I change my server bcrypt can remember salt and decrypt Password,How can do that? 我正在使用 bcrypt 创建登录 api 和散列密码 - i am creating login api and hashed password using bcrypt 如何使用 sha256 验证散列 SHA1 密码 - How to validate Hashed SHA1 password using sha256 我可以通过哪种方式验证随机密码? - In which way I can validate a random password? 如何从 Firebase 实时数据库中获取数据,这些数据是随机密钥的子项 - 使用本机反应? - How do I fetch data from firebase realtime database which are children to a random key - using react native? 为什么要散列(不使用盐)随机数? - Why hash (without using a salt) random numbers? 如何获取散列密码以传递到我的数据库? - How to get the hashed password to pass into my database? 如何将存储的散列密码与纯文本进行比较 - how to compare stored hashed password with plain text 如何使用加密创建random-salt-hash - How to create random-salt-hash with crypto
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM