是否值得对密码的每个字母进行 MD5 处理?
您好,
我目前正在开发一个涉及登录系统的项目,该系统旨在确保设置尽可能安全。
我要问的是,对 char 数组中的每个元素(从密码字段获取)进行 MD5 是否值得,通过这种方式,您可以向每个 char 元素添加一个盐,以便使用 MD5 进行哈希处理,完成后,添加所有每个字符的哈希值,然后添加一个单独的盐,然后再次 MD5?
这真的安全吗,还是矫枉过正?
Greetings,
I'm currently working on a project which involves a login system which is aiming to be as secure as possible for the set-up.
What I'm asking is, would it be worth it to MD5 each element in a char array (obtained from a Password field), by which you add a salt to each char element to be hashed with MD5, upon completing that, add all the hashes from each character, and then add a separate salt to that, and MD5 it again?
Is this actually secure, or just overkill?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(9)
更好的哈希算法和好的盐将是一个好的开始。一旦黑客知道你在哈希中放入了单个字符,解密就非常容易了。
可以在几秒钟内生成单个字符的彩虹表;)。
SHA-512 可能是 has 算法的一个很好的替代方案。并且不要仅根据密码生成哈希值。也使用盐。这样您就可以非常安全地存储密码。
如果您的密码需要从一个应用程序(客户端)发送到另一个应用程序(服务器),那么使用安全协议进行通信可能更为重要。
A better hash algorithm and a good salt would be a good start. Once a hacker knows you put single characters in a hash than it is piss easy to decrypt.
Rainbow tables for single characters can be generated within seconds ;).
SHA-512 might be a good alternative for a has algorithm. And don't generate a hash from the password only. Use a salt aswell. This way you can store passwords pretty safe.
If your passwords need to be send from one application (client) to another (server) than it is probably even more important to use a secure protocol for communication.
根本不安全,因为密钥空间只有 255。向每个字母添加盐只会向整个字符串添加相同的盐,并且可能会减少而不是增加散列的熵。
正确的解决方案是使用正确的密码哈希算法(如 bcrypt、scrypt 或 pbkdf2)并避免编写自己的算法。
MD5(以及 SHA-1、SHA-2 等)速度非常快,因此很容易暴力破解密码。
编辑
今天我们看到一个很好的例子来说明原因: iPhone 黑客公布了秘密的索尼 PlayStation 3 密钥< /a>
Not secure at all, as the key space is only 255. Adding a salt to each letter would achieve nothing more than adding the same salt to the whole string, and could possibly reduce the entropy of the hash rather than increasing it.
The correct solution is to use a proper password hashing algorithm (like bcrypt, scrypt or pbkdf2) and avoid making up your own algorithms.
MD5 (and SHA-1, SHA-2, etc.) are so fast it is very easy to brute-force passwords anyway.
Edit
And today we see a wonderful example of why: iPhone hacker publishes secret Sony PlayStation 3 key
可能更好的是使用更新的哈希算法,例如 SHA-1/SHA-2 。 MD5 存在已知的漏洞(甚至更现代的 SHA-1 也有一些)。
Probably better would be to use a more current hashing algorithm like SHA-1/SHA-2. There are known vulnerabilities in MD5 (and even the more modern SHA-1 has some).
对我来说听起来不是一个好主意,使用 MD5 也不是。请改用现代 SHA 算法(如 SHA256)。
Doesn't sound like a very good idea to me, neither does using MD5. Use a modern SHA algorithm instead (like SHA256).
MD5 有缺陷:
http://www.kb.cert.org/vuls/id/836068
看起来你的建议只会将安全性提高 O(n+1),其中 n 是密码长度,这还不够。
您应该选择其他更安全的哈希算法,例如 SHA-256 或 SHA-512,而不是做所有这些混乱的事情。
MD5 is flawed:
http://www.kb.cert.org/vuls/id/836068
It seems that with your proposal you will only increase the security by O(n+1), where n is the password length, which is not enough.
Instead of doing all this mess you should choose another hash algorithm, like SHA-256 ou SHA-512, that are much more secure.
这实际上并不会更安全。
一个更重要的选择是使用 MD5 以外的东西来进行这种散列。 MD5 的暴力破解速度非常快(特别是在大规模并行硬件上,例如显卡),因此很容易破解(至少对于单个密码而言)。
如果您使用 SHA-512 等更复杂的东西,您将增加更多的安全性。
That wouldn't really be any more secure.
A much more important choice is to use something other than MD5 for this kind of hashing. MD5 are insanely fast to bruteforce (especially on massively parallel hardware, such as graphics cards) and as such easy to crack (at least for single passwords).
If you use something more complex like SHA-512, you'll add much more security.
不——这根本不会使它更安全。如果您希望它更安全,请使用更好的哈希算法,例如 SHA1。
No - that won't make it more secure at all. If you want it more secure then use a better hashing algorithm, like SHA1.
如果你想尽可能安全,你应该使用一些不同的哈希算法,md5 已知有一些碰撞攻击。
看看http://en.wikipedia.org/wiki/Comparison_of_cryptographic_hash_functions
If you want to be as secure as possible you should use some different hash algorithm, md5 is known to have some collision attacks.
Have a look at http://en.wikipedia.org/wiki/Comparison_of_cryptographic_hash_functions
这会使密码不太安全。要暴力破解完整的密码,您需要尝试每个字母的每种组合(或者有一本好的字典)如果您一次加密一个字母,您只需尝试一次破解一个字母(这很简单)
这是一项艰巨的任务。大多数侵入系统的人都拥有内部知识,例如前雇员。我建议您现实一点,为确保安全而付出的努力。
法老的坟墓工人也会埋葬,以确保他们中没有人会说出坟墓的位置,但据我所知,只有一座坟墓被发现完好无损。 ;)
您可以尝试使用种子 SHA 来提高安全性。
That would make the password LESS secure. To brute force crack a complete password you need to try every combination of every letter (or have a good dictionary) If you encrypt one letter at a time, you would only have to attempt to crack one letter at a time (which is trival)
That is a big task. Most people who hack into a system have inside knowledge, such as former employees. I would suggest you be realistic at what lengths you are will to go to ensure security.
Tomb workers for the Pharaohs would entomb as well to ensure none of them would tell the location of the tomb, and yet AFAIK only one tomb was ever found intact. ;)
You could try Seeded SHA to increase security.