这种密码存储方法是否安全?
[英]Is this password storage method secure?
问题描述
I was just thinking if creating a password hash by using a salt created from the password himself is safe to use. 
我只是想如果使用从密码本身创建的盐创建密码哈希是可以安全使用的。 Here an example in php: 这是php中的一个例子:
<?php
$pass = $_GET['pass'];
$salt = hash('whirlpool', $pass);
$pass = md5(hash('whirlpool', $salt.$pass));
echo $pass;
?>
Does this make sense ? 这有意义吗?
Regards. 问候。
4 个解决方案
解决方案1
5 2011-08-04 14:55:50
The point of a salt is to make everyone's password unique. 盐的意思是让每个人的密码都是唯一的。 So in this case just hashing their password and adding it as a salt would still make 2 user's final hashed password equal when the same original password is given. 因此,在这种情况下,只需散列密码并将其添加为盐,当给出相同的原始密码时,仍然会使2个用户的最终散列密码相等。 Better to give each user a random salt and store that right beside their password in the db. 最好给每个用户一个随机的盐,并将其存储在数据库中的密码旁边。
解决方案2
3 2011-08-04 14:26:11
It's no necessary to hash and re hash and re re hash the password. 没有必要散列和重新散列并重新散列密码。
Use a salt with a good hashcode algorithm is a good thing, but you need to force yours users to send a strongly password with a minimum of size and with alphanumeric characters 使用具有良好哈希码算法的salt是一件好事,但是您需要强制您的用户发送一个具有最小大小和字母数字字符的强密码
notes: 笔记:
解决方案3
0 2012-06-14 20:53:49
You can protect both your password and your salt. 您可以保护密码和盐。
Use SHA256 or higher (2012) and in years to come it must be higher.
使用SHA256或更高版本(2012),并且在未来几年内必须更高。 Use a different salt for every user.
为每个用户使用不同的盐。 Use a calculated salt.
使用计算的盐。 Create a 16 to 32 byte Salt and store it in the database, called 'DBSalt'.
创建一个16到32字节的Salt并将其存储在数据库中,称为“DBSalt”。 Create any old algorithm to manipulate the salt but keep the algorithm only in code.
创建任何旧算法来操作salt但仅将算法保留在代码中。 Even something as simple as DBSalt + 1 is useful because if someone gets your database, they don't actually have the correct salt because the correct salt is calculated. 即使像DBSalt + 1这样简单的东西也很有用,因为如果有人获得了你的数据库,他们实际上没有正确的盐,因为计算了正确的盐。 Calculate your password as follows:
按如下方式计算密码: CreateHash(saltAlgorithm(dbSalt), password);
CreateHash(saltAlgorithm(dbSalt),密码); You can add security by having a list of algorithms that manipulate the DBSalt in different ways.
您可以通过使用以不同方式操作DBSalt的算法列表来添加安全性。 Every time a user changes their password you also use a different calculation against the DBSalt 每次用户更改密码时,您还会对DBSalt使用不同的计算 You can add more security by having these algorithms be stored on web servers external to your system so if your DB and code both get hacked, they still don't have your salt.
您可以通过将这些算法存储在系统外部的Web服务器上来增加安全性,这样如果您的数据库和代码都被黑客攻击,他们仍然没有盐。 - You can also increase security by having a before, and after, or both salt and the database alone doesn't provide this information. 您还可以通过使用salt之前,之后或两者来提高安全性,并且数据库本身不提供此信息。
- You can also increase security by having a before, and after, or both salt and the database alone doesn't provide this information.
There is no end to the "You can increase security by..." comments. “你可以通过...增加安全性”评论没有尽头。 Just remember, every time you add security, you add complexity, cost, etc... 请记住,每次添加安全性时,都会增加复杂性,成本等......
How to effectively salt a password stored as a hash in a database 如何有效地将存储为哈希的密码加密到数据库中
解决方案4
0 2011-08-04 15:17:09
I do it like this 我是这样做的
<?php
$my_key = "myapp";
$temp_pwd = htmlentities(trim($_POST['password']));
$hashed = sha1($my_key.$temp_pwd);
save $hashed in database on signup
and with every login attemp merge the input password value with your key and make a hash of it and than compare with database password value
?>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.