哈希盐复杂度
有什么好处吗?
sha1($long_unpredictable_randomly_generated_salt.$password.$global_salt)
使用: over
sha1(sha1($username).$password.$global_salt)
唯一的盐显然存储在数据库中,而全局盐则在服务器上的配置文件中。
我知道盐的目的只是为了唯一,并防止预先计算哈希表..所以我认为 sha1($username) 生成的长哈希没有理由不够好..但由于安全非常重要,我想我应该向可能更了解的人寻求信息建议:-)
Is there any benefit to using:
sha1($long_unpredictable_randomly_generated_salt.$password.$global_salt)
over
sha1(sha1($username).$password.$global_salt)
The unique salt is obviously stored in the database, while the global salt is in a configuration file on the server.
I know the purpsoe of a salt is just to be unique, and prevent pre-calculated hash tables.. so I see no reason the long hash generated by sha1($username) is not good enough.. but as security is very important, I thought i'd ask for informative advice here from somebody who may know better :-)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
缺点是用户名大多是已知的,因此当有人知道你编写的这个“公式”时,他只需计算
sha1(user_to_hack)而这部分不会有任何额外的好处。事实上,在这种情况下,使用sha1(username)或仅使用username都没有多大关系。在另一种情况下,您使用的值未公开,因此即使有人知道您的公式(现在每个人都知道),他仍然需要该独特盐的值才能对他们有用,所以他们需要访问您的数据库。我假设你正在为每个用户制作独特的盐?
无论如何,您可能都需要获取数据,因此唯一的盐可能也更快,因为您不需要计算用户名的哈希值。
但无论如何,两者都非常安全,但前提是您很好地实现了实际的登录过程。我现在不会担心该使用哪一个。
The disadvantage is that the username is mostly known, so when someone knows this 'formula' you made up, he can just calculate
sha1(user_to_hack)and this part won't have any additional benefit. In fact, it won't matter much if you usesha1(username)or justusernamein this case.In the other case, you're using a value that is not exposed, so even when someone knows your formula (which everybody knows now), he'll still needs the value of that unique salt too before it's any use to them, so they'll need to get to your database. I assume you're making up a unique salt for each user?
You'll probably need to get data anyway, so the unique salt is probably faster too, because you won't need to calculate the hash over username.
But anyway, both are pretty safe, but only if you implement the actual login procedure well. I wouldn't worry about which one to use right now.