为什么重新哈希会使其更安全?
读一本书上说:反复重新散列以获得计算量更大的字节序列。如果重新哈希 100 次,原本需要 1 个月的字典攻击将需要 8 年。为什么?我不明白。任何人都可以解释一下吗?
Reading a book that said: Repeatedly rehashing to obtain more computationally intensive byte sequence. If you rehashing 100 times, a dictionary attack that might otherwise take 1 month would take 8 years. Why? I don't understand. Anyone can explain?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
假设您有一个像这样的哈希函数:
给定一个哈希值,例如 5f4dcc3b5aa765d61d8327deb882cf99,您的首选技术是使用上述函数生成字典中所有单词的哈希值,然后将 password_hash 与您想要反转的哈希值进行比较。
现在假设您将哈希函数更改为
作为攻击者,这次您必须对字典中的每个单词进行哈希 100 次,以将其与您想要暴力破解的给定哈希进行比较。因此,如果您多次对密码进行哈希处理,攻击者需要更长的时间才能暴力破解给定的哈希值。
正是出于这个目的,MD5 和 SHA 系列等快速哈希算法不太适合对密码进行哈希处理。您可以阅读 http://codahale.com/how-to-safely-store -a-password/ 了解像 bcrypt 这样的慢速算法如何更适合密码散列。
Suppose you have a hashing function like this:
Given a hash, say 5f4dcc3b5aa765d61d8327deb882cf99, your preferred technique will be to generate hashes of all the words in a dictionary using the above function and then compare the password_hash to the one you want to reverse.
Now suppose you change your hashing function to
As an attacker, this time you'll have to hash each word in your dictionary 100 times to compare it with the given hash you want to brute force. Hence it takes much longer for an attacker to brute force a given hash if you've hashed your password multiple times.
It is for this very purpose, fast hashing algorithms like MD5 and SHA family aren't very suitable for hashing passwords. You can read http://codahale.com/how-to-safely-store-a-password/ to get insight of how a slow algorithm like bcrypt is more suited for password hashing.