用户密码盐的最佳长度是多少?

时间:2022-07-24 05:01:20

Any salt at all will obviously help when salting and hashing a user's password. Are there any best practices for how long the salt should be? I'll be storing the salt in my user table, so I would like the best tradeoff between storage size and security. Is a random 10 character salt enough? Or do I need something longer?

当盐析和散列用户密码时,任何盐显然都会有所帮助。盐的存在时间是否有最佳实践?我将盐存储在我的用户表中,所以我希望在存储大小和安全性之间进行最佳权衡。是一个随机的10个字符的盐吗?或者我需要更长的东西?

5 个解决方案

#1


61  

Most of these answers are a bit misguided and demonstrate a confusion between salts and cryptographic keys. The purpose of including salts is to modify the function used to hash each user's password so that each stored password hash will have to be attacked individually. The only security requirement is that they are unique per user, there is no benefit in them being unpredictable or difficult to guess.

大多数这些答案都有点误导,并证明了盐和加密密钥之间的混淆。包含salt的目的是修改用于散列每个用户密码的函数,以便每个存储的密码散列都必须单独攻击。唯一的安全要求是每个用户都是唯一的,没有任何好处是不可预测或难以猜测。

Salts only need to be long enough so that each user's salt will be unique. Random 64-bit salts are very unlikely to ever repeat even with a billion registered users, so this should be fine. A singly repeated salt is a relatively minor security concern, it allows an attacker to search two accounts at once but in the aggregate won't speed up the search much on the whole database. Even 32-bit salts are acceptable for most purposes, it will in the worst case speed an attacker's search by about 58%. The cost of increasing salts beyond 64 bits isn't high but there is no security reason to do so.

盐只需要足够长,以便每个用户的盐都是独特的。即使有十亿注册用户,随机64位盐也不太可能重复,所以这应该没问题。单独重复的盐是一个相对较小的安全问题,它允许攻击者一次搜索两个帐户,但总的来说不会在整个数据库上加快搜索速度。在大多数情况下,即使是32位盐也是可以接受的,在最坏的情况下,攻击者的搜索速度将提高约58%。增加盐超过64位的成本并不高,但没有安全理由这样做。

There is some benefit to also using a site-wide salt on top of the per-user salt, this will prevent possible collisions with password hashes stored at other sites, and prevent the use of general-purpose rainbow tables, although even 32 bits of salt is enough to make rainbow tables an impractical attack.

在每用户盐之上使用站点范围的盐也有一些好处,这将防止可能与存储在其他站点的密码哈希冲突,并防止使用通用彩虹表,尽管甚至32位盐足以使彩虹表成为不切实际的攻击。

Even simpler-and developers always overlook this-if you have unique user IDs or login names, those serve perfectly fine as a salt. If you do this, you should add a site-wide salt to ensure you don't overlap with users of another system who had the same bright idea.

甚至更简单 - 开发人员总是忽略这一点 - 如果你有唯一的用户ID或登录名,那些服务就像盐一样完美。如果您这样做,您应该添加一个站点范围的盐,以确保您不与具有相同好主意的另一个系统的用户重叠。

#2


34  

Currently accepted standards for hashing passwords create a new 16 character long salt for every password and store the salt with the password hash.

当前公认的散列密码标准为每个密码创建一个新的16个字符长的盐,并使用密码哈希存储盐。

Of course proper cryptographic care to create really random salt should be taken.

当然,应该采取适当的加密护理来创建真正的随机盐。

#3


23  

Edit: My below answer answers the question as asked, but the "real" answer is: just use bcrypt, scrypt, or Argon2. If you're asking questions like this, you're almost certainly using tools at too low a level.

编辑:我的下面的答案回答了问题,但“真正的”答案是:只使用bcrypt,scrypt或Argon2。如果你问这样的问题,你几乎肯定会使用太低级别的工具。

Honestly, there's no defensible reason not to have the salt be the same exact length as the hashed password. If you're using SHA-256, then you have a 256-bit hash. There's no reason not to use a 256-bit salt.

老实说,没有可靠的理由不让盐与散列密码的长度相同。如果您使用的是SHA-256,那么您将拥有256位哈希值。没有理由不使用256位盐。

More than 256 bits won't net you any improvement in security, mathematically. But going with a shorter salt may always end up with a situation where a rainbow table catches up to your salt length -- especially with shorter salts.

从数学角度来说,超过256位不会对您的安全性有任何改进。但是,使用较短的盐可能总是会遇到一个彩虹表赶上你的盐长度的情况 - 特别是用较短的盐。

#4


7  

Wikipedia:

The SHA2-crypt and bcrypt methods—used in Linux, BSD Unixes, and Solaris—have salts of 128 bits. These larger salt values make precomputation attacks for almost any length of password infeasible against these systems for the foreseeable future.

在Linux,BSD Unix和Solaris中使用的SHA2-crypt和bcrypt方法具有128位的盐。在可预见的将来,这些较大的盐值会对几乎任何长度的密码进行预计算攻击,这些密码对这些系统是不可行的。

128-bit (16-byte) salt will be enough. You can represent it as a sequence of 128 / 4 = 32 hexadecimal digits.

128位(16字节)盐就足够了。您可以将其表示为128/4 = 32个十六进制数字的序列。

#5


2  

One answer might be to use as size of salt the value that the hash you are going to use provides in term of security.

一个答案可能是将盐的大小用作您将要使用的哈希值在安全性方面提供的值。

E.g. If you are going to use SHA-512 use 256 bit salt since the security provided by SHA-512 is 256 bit.

例如。如果您打算使用SHA-512使用256位盐,因为SHA-512提供的安全性是256位。

#1


61  

Most of these answers are a bit misguided and demonstrate a confusion between salts and cryptographic keys. The purpose of including salts is to modify the function used to hash each user's password so that each stored password hash will have to be attacked individually. The only security requirement is that they are unique per user, there is no benefit in them being unpredictable or difficult to guess.

大多数这些答案都有点误导,并证明了盐和加密密钥之间的混淆。包含salt的目的是修改用于散列每个用户密码的函数,以便每个存储的密码散列都必须单独攻击。唯一的安全要求是每个用户都是唯一的,没有任何好处是不可预测或难以猜测。

Salts only need to be long enough so that each user's salt will be unique. Random 64-bit salts are very unlikely to ever repeat even with a billion registered users, so this should be fine. A singly repeated salt is a relatively minor security concern, it allows an attacker to search two accounts at once but in the aggregate won't speed up the search much on the whole database. Even 32-bit salts are acceptable for most purposes, it will in the worst case speed an attacker's search by about 58%. The cost of increasing salts beyond 64 bits isn't high but there is no security reason to do so.

盐只需要足够长,以便每个用户的盐都是独特的。即使有十亿注册用户,随机64位盐也不太可能重复,所以这应该没问题。单独重复的盐是一个相对较小的安全问题,它允许攻击者一次搜索两个帐户,但总的来说不会在整个数据库上加快搜索速度。在大多数情况下,即使是32位盐也是可以接受的,在最坏的情况下,攻击者的搜索速度将提高约58%。增加盐超过64位的成本并不高,但没有安全理由这样做。

There is some benefit to also using a site-wide salt on top of the per-user salt, this will prevent possible collisions with password hashes stored at other sites, and prevent the use of general-purpose rainbow tables, although even 32 bits of salt is enough to make rainbow tables an impractical attack.

在每用户盐之上使用站点范围的盐也有一些好处,这将防止可能与存储在其他站点的密码哈希冲突,并防止使用通用彩虹表,尽管甚至32位盐足以使彩虹表成为不切实际的攻击。

Even simpler-and developers always overlook this-if you have unique user IDs or login names, those serve perfectly fine as a salt. If you do this, you should add a site-wide salt to ensure you don't overlap with users of another system who had the same bright idea.

甚至更简单 - 开发人员总是忽略这一点 - 如果你有唯一的用户ID或登录名,那些服务就像盐一样完美。如果您这样做,您应该添加一个站点范围的盐,以确保您不与具有相同好主意的另一个系统的用户重叠。

#2


34  

Currently accepted standards for hashing passwords create a new 16 character long salt for every password and store the salt with the password hash.

当前公认的散列密码标准为每个密码创建一个新的16个字符长的盐,并使用密码哈希存储盐。

Of course proper cryptographic care to create really random salt should be taken.

当然,应该采取适当的加密护理来创建真正的随机盐。

#3


23  

Edit: My below answer answers the question as asked, but the "real" answer is: just use bcrypt, scrypt, or Argon2. If you're asking questions like this, you're almost certainly using tools at too low a level.

编辑:我的下面的答案回答了问题,但“真正的”答案是:只使用bcrypt,scrypt或Argon2。如果你问这样的问题,你几乎肯定会使用太低级别的工具。

Honestly, there's no defensible reason not to have the salt be the same exact length as the hashed password. If you're using SHA-256, then you have a 256-bit hash. There's no reason not to use a 256-bit salt.

老实说,没有可靠的理由不让盐与散列密码的长度相同。如果您使用的是SHA-256,那么您将拥有256位哈希值。没有理由不使用256位盐。

More than 256 bits won't net you any improvement in security, mathematically. But going with a shorter salt may always end up with a situation where a rainbow table catches up to your salt length -- especially with shorter salts.

从数学角度来说,超过256位不会对您的安全性有任何改进。但是,使用较短的盐可能总是会遇到一个彩虹表赶上你的盐长度的情况 - 特别是用较短的盐。

#4


7  

Wikipedia:

The SHA2-crypt and bcrypt methods—used in Linux, BSD Unixes, and Solaris—have salts of 128 bits. These larger salt values make precomputation attacks for almost any length of password infeasible against these systems for the foreseeable future.

在Linux,BSD Unix和Solaris中使用的SHA2-crypt和bcrypt方法具有128位的盐。在可预见的将来,这些较大的盐值会对几乎任何长度的密码进行预计算攻击,这些密码对这些系统是不可行的。

128-bit (16-byte) salt will be enough. You can represent it as a sequence of 128 / 4 = 32 hexadecimal digits.

128位(16字节)盐就足够了。您可以将其表示为128/4 = 32个十六进制数字的序列。

#5


2  

One answer might be to use as size of salt the value that the hash you are going to use provides in term of security.

一个答案可能是将盐的大小用作您将要使用的哈希值在安全性方面提供的值。

E.g. If you are going to use SHA-512 use 256 bit salt since the security provided by SHA-512 is 256 bit.

例如。如果您打算使用SHA-512使用256位盐,因为SHA-512提供的安全性是256位。