salting如何通过访问密码哈希来防御攻击者?
[英]How does salting protect against an attacker with access to your password hashes?
问题描述
I've read a fair few questions on password salting and mostly they cover the stuff that (I think) I already understand. 
我已经阅读了一些关于密码腌制的问题,其中大部分都涵盖了(我认为)我已经理解的内容。 That is; 那是; the point of including a random salt in your password hashes is firstly to prevent two hashes being the same even when the password is the same. 在密码哈希中包含随机盐的关键是首先要防止两个哈希值相同,即使密码相同也是如此。 And secondly to thwart rainbow table attacks that match hashes against a precompiled list (because none of the precompiled hashes used the salts you have used, so a new rainbow table would need to be generated for each salt/hash). 其次是为了阻止与预编译列表匹配哈希的彩虹表攻击(因为没有预编译的哈希值使用了您使用的盐,因此需要为每个盐/哈希生成新的彩虹表)。 Feel free to correct me if I've misunderstood any of that. 如果我误解了其中任何一个,请随意纠正我。
Now my question: If an attacker has access to your hashes (the scenario we're protecting against) then that means they're accessing your database. 现在我的问题是:如果攻击者可以访问您的哈希值(我们正在防范的场景)那么这意味着他们正在访问您的数据库。 That being the case surely it doesn't matter what the hash is, they can just replace it with whatever they want? 在这种情况下,哈希是什么并不重要,他们可以用他们想要的东西取代它?
2 个解决方案
解决方案1
1 已采纳 2012-03-03 02:17:42
Read access to a database does not imply write access to the database. 对数据库的读访问权并不意味着对数据库的写访问权。
So yes, if an attacker can update the password hash to a known hashed password + salt, then the attacker can gain access to a specific account. 所以是的,如果攻击者可以将密码哈希更新为已知的哈希密码+ salt,则攻击者可以访问特定帐户。 But dumps of password hashes can come from places other than direct database access. 但密码哈希的转储可以来自直接数据库访问以外的地方。
解决方案2
1 2012-03-03 02:20:38
It all depends on the account's permission. 这一切都取决于帐户的许可。 If a read only account was hacked, they can only read, but if a higher account got hacked, well, the attacker has higher permissions the farther up the ladder it goes. 如果一个只读帐户被黑客入侵,他们只能阅读,但如果一个更高的帐户被黑客攻击,那么攻击者拥有更高的权限,它越往上升。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.