密码编码如何工作?

发布于 2024-11-05 12:14:29 字数 356 浏览 7 评论 0原文

我知道这不是一个伟大的标题,我也不期望任何人真正了解细节。

我特指 PHP 的 md5 函数,它将密码更改为 32 位字符串,我认为...
无论如何,如果我有一个密码,例如“打字机”,md5 函数是否总是将其编码为完全相同的字符串?如果是这样,那么找出所有单词的编码并找到某人的密码肯定很容易吗?如果有一个函数可以对一个单词进行编码,那么肯定会有一个函数可以快速对其进行解码...

对用户密码进行编码的最安全方法是什么,我读到了有关使用盐方法将另一个字符串附加到用户密码的内容,但肯定如果他们可以解码密码,他们可以解码盐吗?

感谢您的宝贵时间,我期待您的建议。

PS 不确定是否会轻易授予获胜者,因为这是一个相当开放的问题。

I know this isn't a great title and i'm not expecting anyone to actually know the specifics.

I'm referring specifically to PHP's md5 function that changes the password to a 32bit string, i think...
Anyway, If I have a password such as 'typewriter' will the md5 function always encode it to the exact same string? If so, surely it is very easy to just work out what all the words are encoded to and find someone's password? If there's a function to encode a word surely there could be a function to quickly decode it...

What is the safest way to encode a users password, i read about using the salt method to append another string to the users password, but surely if they can decode the password they can decode the salt to?

Thanks For Your Time, i look forwards to your suggestions.

P.S not sure it's going to be easy to award a winner for this as its a fairly open question.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(9

独守阴晴ぅ圆缺 2024-11-12 12:14:29

无论如何,如果我有一个密码,例如“打字机”,md5 函数是否总是将其编码为完全相同的字符串?

是的

如果是这样,那么找出所有单词的编码并找到某人的密码肯定很容易吗?

不。关键是哈希值是单向的。 (简化示例:3x5=15。知道了 15,你需要乘以第二个数字才能得到它?)危险在于彩虹表,人们已经计算出了对许多不同输入进行哈希处理的结果,因此你可以这样做反向查找。

对用户密码进行编码的最安全方法是什么

使用盐

,我读到有关使用 salt 方法将另一个字符串附加到用户密码的内容,但如果他们可以解码密码,他们肯定可以将 salt 解码为?

为每个密码使用不同的盐。

Anyway, If I have a password such as 'typewriter' will the md5 function always encode it to the exact same string?

Yes

If so, surely it is very easy to just work out what all the words are encoded to and find someone's password?

No. The point is that the hash is one-way. (Over simplified example: 3x5=15. Knowing 15, what do you have to multiple by the second number to get that?) The danger is in rainbow tables where by people have worked out the result of hashing many different inputs so you can do a reverse look up.

What is the safest way to encode a users password

Use a salt

, i read about using the salt method to append another string to the users password, but surely if they can decode the password they can decode the salt to?

Use different salts for each password.

朕就是辣么酷 2024-11-12 12:14:29

md5 函数不是为密码加密而设计的——它是一种单向哈希函数,允许在两个(可能很大)字符串之间进行快速比较。

通过暴力破解密码的计算成本非常高,即生成并散列大量密码直到找到匹配的密码。

md5算法已被破解——无需暴力破解即可轻松逆向。

md5 函数每次都会为两个相同的字符串生成相同的哈希值。它还可能为两个不同的字符串生成相同的哈希值 - 读取哈希冲突。

The md5 function isn't designed for password encryption -- it is a one-way hashing function that allows quick comparison between two (potentially large) strings.

It is computationally very expensive to crack a password through brute force methods, i.e., generating and hashing lots of passwords until you hit a match.

The md5 algorithm has been cracked -- it is easy to reverse without brute force methods.

The md5 function will produce the same hash every time for two strings that are the same. It may also produce the same hash for two strings that are different - read up on hashing collisions.

稚气少女 2024-11-12 12:14:29

使用单向函数对密码进行散列,该函数从任何字符串中产生确定性结果,这就是散列的全部要点:您不是存储值,而是存储一些派生消息并检查用户输入的散列是否与存储的散列相匹配在用户存储库中。

您提出的问题 - 有人创建一个包含所有单词及其哈希值的字典,从而可以进行哈希值的反向查找,这无疑是一个必须解决的问题,也是许多登录系统要求您选择非单词密码的原因。

良好的哈希函数的另一个因素必须是,即使输入(密码)的微小变化也会导致哈希值发生重大变化。通过这种方式,添加数字或更改大小写将产生全新的输出,并且创建字典的工作将变得更加困难。使用 md5 哈希的示例:

密码:5f4dcc3b5aa765d61d8327deb882cf99

密码:a61f3f0aee2e87cf0571ca70afe289d2

请放心,包含“test”“password”“mommy123”等的字典已经存在。

除了 md5 不是一个非常安全的哈希函数之外,使用 SHA1 或 SHA-256 可能是更好的选择。

Hashing of passwords using one-way-functions that produce a deterministic result from any an string, which is the whole point of hashing: Rather than storing the value you store some derived message and check if the hash of the user input matches the hash stored in the user repository.

The problem you suggests - that someone creates a dictionary containing all words and their hash values which enables reverse lookup of hashes is certainly a problem which must be addressed and the reason why many login system requires you to choose non-word passwords.

The other factor of a good hashing function must be that even minor changes in the input (the password) causes major changes in the hash. This way adding a number or chaning casing will produce drastically new outputs and the work of creating a dictionary will be much harder. An example using md5 hashing:

password: 5f4dcc3b5aa765d61d8327deb882cf99

passworD: a61f3f0aee2e87cf0571ca70afe289d2

Put rest assured that a dictionary containing "test" "password" "mommy123" etc already exists.

Besides md5 is not a very secure hash function, using SHA1 or SHA-256 might be better choices.

吃→可爱长大的 2024-11-12 12:14:29

md5 密码每次都会创建相同的加密密码。

尝试使用 phpass 以获得更高的安全性。它使用盐和其他哈希算法,例如河豚。

了解有关 phpass 的更多信息

也可以单独使用河豚。检查 php crypt

md5 passwords will create the same encrypted password everytime.

Try using phpass for great security. It uses salts and other hashing algorithms such as blowfish.

Read more about phpass

Can also use blowfish on its own. Check php crypt.

情独悲 2024-11-12 12:14:29

至少,它们会进行相同的编码,因此很容易受到暴力攻击,通过“彩虹表< /a>"

正如您所提到的,您可以在哈希中添加,这将帮助。

您可以对它们进行加密,但这也有风险。

坚持哈希。

祝你好运。

At a minimum, they will encode the same, so it is succeptible to a brute force attack, via "rainbow tables"

As you mention, you can add a salt to the hash, which will help.

You can encrypt them instead, but that has risks, too.

Stick with the hash.

Good luck.

百合的盛世恋 2024-11-12 12:14:29

无论如何,如果我有一个密码,例如“打字机”,md5 函数是否总是将其编码为完全相同的字符串?

是的

如果是这样,那么找出所有单词的编码并找到某人的密码肯定很容易吗?

不,没有额外的资源就不行。有彩虹桌;这些表的 hash=>password 在这里很有帮助。通过暴力破解,他们只需将密码的哈希值与表中的所有哈希值进行比较,也许存在匹配,从而产生可读的密码。

如果有一个函数可以对一个单词进行编码,那么肯定会有一个函数可以对其进行快速解码......

MD5 既不是加密,也不是编解码器。它是一个哈希函数,这意味着您无法解密或解码它,因为理论上存在无限的候选字符串,这会产生相同的哈希值。这也是为什么需要彩虹表和暴力破解哈希的原因。

对用户密码进行编码的最安全方法是什么,我读到有关使用盐方法将另一个字符串附加到用户密码的内容,但如果他们可以解码密码,他们可以将盐解码为?

就是这样。

$hashed = md5($pass . "MySalt");

(使用可购买的硬件;))几乎不可能解密它。如果你有一个超级重要的网站,有人可能会为你的盐创建一个特殊的彩虹表(如果他们知道的话)。在这种情况下,您可以使用随机盐,与密码一起保存,它是盐。

Anyway, If I have a password such as 'typewriter' will the md5 function always encode it to the exact same string?

Yes

If so, surely it is very easy to just work out what all the words are encoded to and find someone's password?

No, not without additional resources. There are rainbow tables; that are tables with hash=>password, that helps here. With brute force they just compare the hash of the password with all the hashes in the table and maybe there is a match, that leads to a readable password.

If there's a function to encode a word surely there could be a function to quickly decode it...

MD5 is neither an encryption, nor an codec. It is a hash function, which means, that you cannot decrypt or decode it, because in theory there are infinite string candidates, that results in the same hash. This is also the reason why you need rainbow tables and brute force to decrypt a hash.

What is the safest way to encode a users password, i read about using the salt method to append another string to the users password, but surely if they can decode the password they can decode the salt to?

Thats it.

$hashed = md5($pass . "MySalt");

It is (with buyable hardware ;)) nearly impossible to decrypt this. If you have a super-dupa-important websites someone may create a special rainbow table just for your salt (if they get known of it). In this case you can use random salts, that you save along with the password, that it salts.

咽泪装欢 2024-11-12 12:14:29

哈希函数对于相同的输入总是有相同的输出。
您不必担心解码哈希函数,例如 md5 或 sha1。
如果您认为有人可以解码您的散列密码,您可以使用“盐”和/或组合散列,例如:

$pass = "password";
$salt = "salt";
$encodedPass = sha1(md5($pass.$salt));

a hash function will always have the same output for the same input.
you shouldn't worry about decoding hash functions such as md5 or sha1.
if you think that there is someone that could decode your hashed passwords, you can use a "salt" and/or combine hashes such as :

$pass = "password";
$salt = "salt";
$encodedPass = sha1(md5($pass.$salt));
jJeQQOZ5 2024-11-12 12:14:29

http://codahale.com/how-to-safely-store-a-密码/

安全的密码存储很困难。加盐和使用像 SHA-1 这样更强的散列可以比直接的 md5 散列带来一些优势(彩虹表使这变得容易),但这仍然不是一个很好的解决方案。为了安全起见,请使用 bcrypt 之类的东西,也不要尝试编写自己的加密代码。

http://codahale.com/how-to-safely-store-a-password/

Secure password storage is hard. Salting and using a stronger hash like SHA-1 get you some advantages over straight md5 hashing (rainbow tables make this easy), but it is still not a great solution. Use something like bcrypt for security and also never try and write your own crypto code.

世俗缘 2024-11-12 12:14:29

不要使用 MD5。使用 SHA1 或 SHA256 或 MD5 以外的其他算法,因为 MD5 不那么安全。我不知道 SHA1 的安全级别(毕竟,他们确实制作了 SHA256),但我确实了解 MD5 的“安全性”,那就是它被发现存在缺陷。

Don't use MD5. Use SHA1 or SHA256 or something other than MD5, because MD5 isn't as secure. I don't know about the level of security of SHA1 (after all, they did make an SHA256), but I do know about the "security" of MD5 and that is that it's been found wanting.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文