如果我让每个用户的SALT都是随机的,那么我如何对他们进行认证?[英] If I make the SALT random for each user, how do I authenticate them?

本文是小编为大家收集整理的关于如果我让每个用户的SALT都是随机的,那么我如何对他们进行认证?的处理/解决方法,可以参考本文帮助大家快速定位并解决问题,中文翻译不准确的可切换到English标签页查看源文。

问题描述

我一直在阅读盐和哈希密码的好处,但是一件事仍然让我感到不安...

当我为每个用户提供随机盐时,当我尝试对其进行身份验证以登录时,我该如何知道盐是什么?

所以如果我这样做..

hashpw = pw.randomnumber

我可以将随机数存储在数据库中,但这似乎杀死了添加盐的全部.不是吗?我也可以为每种盐使用一个非随机数,但这也会杀死盐的点,因为如果他们弄清楚了所有我的用户密码...

我刚刚开始学习php和mysql和类似的抽象事物,使我感到困惑

谢谢!

推荐答案

它不会破坏储存它的唯一盐的目的.独特的盐的目的是保护您的整个用户存储库免受攻击,而不是给定的个人用户.如果攻击者妥协了您的数据库,并确定足以破解特定用户的帐户,则他们会.我们对此无能为力.但是他们必须花费大量的计算机时间来做 - 足以在每个用户上花那么多时间在上花费太多时间,从而保护所有用户是不可行的.将其与所有用户使用相同的盐进行对比 - 一旦攻击者拥有盐,可以在相对较短的时间内重新运行相同的表/过程.

其他推荐答案

盐是为每个用户随机生成的,但保存在数据库中的某个地方.您查找特定用户的盐并使用它来验证用户.

重点是,由于每个用户的盐是不同的,因此您不能使用预构建的哈希词字典来映射Hashed密码以清除文本(彩虹攻击).

其他推荐答案

盐阻止某人获得加密密码数据库的副本,并同时对密码的所有 able abter攻击.它不会阻止对单个密码的攻击.

您可能喜欢阅读原始的UNIX密码安全文章.在解释什么是盐以及为什么我们要有的情况下,它做得很好: http:http:http:http:http:http://portal.acm.org/citation.cfm?id=359172

本文地址:https://www.itbaoku.cn/post/597635.html

问题描述

I've been reading up on the benefits of salting and hashing passwords, but one thing still eludes me...

When I provide a random salt for each user, how do I then know what the salt was when I try to authenticate them to login?

so if I do..

HASHPW = PW.RANDOMNUMBER

I could store the random number in the database, but that seems to kill the entire point of adding the salt.. doesn't it? I could also use a non random number for each salt, but then that also kills the point of the salt because if they figure it out they have all my users passwords...

I just started learning PHP and MySQL and abstract things like this have been confusing me

Thanks!

推荐答案

It doesn't defeat the purpose of the unique salt to store it. The point of a unique salt is to protect your entire users repository from attack, not a given individual user. If an attacker compromises your database and is determined enough to crack a particular user's account, they will. There's nothing we can do about this. But they would have to spend an inordinate amount of computer time doing so - enough that it would not be feasible to spend that much time on each user - thus protecting all your users. Contrast this with using the same salt for all users - once the attacker has the salt, the same tables/processes can be re-run against every user in a relatively short time.

其他推荐答案

Salt is randomly generated for each user but it's saved somewhere in the database. You look up the salt for the particular user and use it to authenticate the user.

The point is, since salt is different for each user, you cannot use a prebuilt dictionary of hashes to map the hashed passwords to clear text (rainbow attack).

其他推荐答案

The salt prevents someone from getting a copy of your encrypted password database and mounting an offline attack against all of the passwords at the same time. It doesn't prevent attacks against a single password.

You might enjoy reading the original Unix password security article. It does a very good job explaining what a salt is, and why we have them: http://portal.acm.org/citation.cfm?id=359172