I have been tossing around the question of how to store the passwords in my DB for some time now. This is my first time at making a secure application with a web login, so i wanted to set up some good practices.
我一直在讨论如何在我的数据库中存储密码的问题。这是我第一次使用Web登录创建安全的应用程序,所以我想设置一些好的做法。
First, i read up on hashing and salting. It seems that the idea is...
首先,我读了哈希和盐渍。看来这个想法是......
- Get hashing algorithm
- 获取散列算法
- Get password from user
- 从用户获取密码
- Add 'salt' to plain text password from user
- 将“salt”添加到用户的纯文本密码中
- hash the entire password (including salt)
- 哈希整个密码(包括盐)
- Store the salt in the db so that you can retrieve it later (for verification of PSWD)
- 将salt存储在db中,以便以后可以检索它(用于验证PSWD)
And that got me thinking... If a hacker knows your salt (because it is stored in the DB somewhere, maybe a column called this_is_not_the_salt_ur_looking_for or something equally ambiguous) they can re-generate the password dictionary and gain access.
这让我想到了......如果一个黑客知道你的盐(因为它存储在DB的某个地方,可能是一个名为this_is_not_the_salt_ur_looking_for的列或者同样含糊不清的列),他们可以重新生成密码字典并获得访问权限。
Then i had an idea. What if you stored your salt inside the hashed password field. So follow steps 1-4 (randomly generating the salt), then in step 5, insert the salt in the password somewhere known by the password interpreting class or service:
然后我有了一个主意。如果您将盐存储在哈希密码字段中,该怎么办?所以按照步骤1-4(随机生成盐),然后在步骤5中,将盐插入密码解释类或服务已知的密码:
xxxxxsaltvaluexxxxxxxxxxxxxxxx
xxxxxsaltvaluexxxxxxxxxxxxxxxx
where x is the hashed string values. Can anyone see any issues with this? is it just completely unnecessary?
其中x是散列字符串值。任何人都可以看到这个问题吗?它完全没必要吗?
Answer:
There is no reason why this couldnt be done. As Yahia states, other methods of securing a password include double (or n) hashing. On another note, BCrypt looks like a good method of stopping brute force attacks almost entirely, but I couldnt find a trusted library for C#
答:没有理由不这样做。正如Yahia所述,其他保护密码的方法包括双重(或n)散列。另一方面,BCrypt看起来几乎完全是一种阻止暴力攻击的好方法,但我找不到一个可靠的C#库
Thanks!
TTD
谢谢! TTD
3 个解决方案
#1
6
From a security standpoint that is not necessary as long you only store the hashed password (NEVER store the cleartext password!) plus the salt... an attacker is "allowed" to know the salt - your security must be designed in a way that even with the knowledge of the salt it is still secure.
从安全的角度来看,只要你只存储哈希密码(不要存储明文密码!)加上盐......攻击者“被允许”知道盐 - 你的安全必须以一种方式设计即使有了盐的知识,它仍然是安全的。
What does the salt do ?
盐有什么作用?
Salt aids in defending against brute-force attacks using pre-computed "rainbow-tables".
Salt makes brute-force much more expensive (in time/memory terms) for the attacker.
Calculating such a table is expensive and usually only done when it can be used for more than one attack/password.
IF you use the same salt for all password an attacker could pre-compute such a table and then brute-force your passwords into cleartext...
As long as you generate a new (best cryptogrpahically strong) random salt for every password you want to store the hash of there is no problem.
Salt使用预先计算的“彩虹表”帮助抵御暴力攻击。对于攻击者来说,盐使暴力成本更高(在时间/内存方面)。计算这样一个表是很昂贵的,通常只有当它可以用于多个攻击/密码时才会这样做。如果您对所有密码使用相同的盐,则攻击者可以预先计算此类表,然后将您的密码暴力强制为明文...只要您为每个密码生成一个新的(最好的密码强)随机盐存储哈希没有问题。
As for your idea in "disguising" the salt
That is more of "security by obscurity" which should be avoided.
Although in this case I neither see any positive nor negative effect.
至于你在“掩饰”盐的想法更多的是“默默无闻的安全”,应该避免。虽然在这种情况下我既没有看到任何积极或消极的影响。
IF you want to strengthen the security further
You could calculate the hash several times over (hash the hash etc.) - this doesn't cost you much but it makes a brute-force attack / calculating "rainbow-tables" even more expensive... please don't invent yourself - there are proven standard methods to do so, see for example http://en.wikipedia.org/wiki/PBKDF2 and http://msdn.microsoft.com/en-us/library/system.security.cryptography.rfc2898derivebytes.aspx
如果你想进一步加强安全性你可以多次计算哈希值(散列哈希等) - 这不会花费你太多但是它使得暴力攻击/计算“彩虹表”更加昂贵。 ..请不要发明自己 - 有经过验证的标准方法,请参阅http://en.wikipedia.org/wiki/PBKDF2和http://msdn.microsoft.com/en-us/library /system.security.cryptography.rfc2898derivebytes.aspx
#3
0
Just hash the Password and save the Hash value in your Database, once the User logs in again you calculate the Hash value of the passwort he enteres and compare it with the one saved in your Database, you dont need to know the password. a Hacker wouldnt be able to get the password if he gets the Hashvalue.
只需哈希密码并将哈希值保存在数据库中,一旦用户再次登录,您计算他进入的密码的哈希值,并将其与数据库中保存的密码进行比较,您不需要知道密码。如果黑客获得Hashvalue,黑客将无法获得密码。
If you Use Salting you will increase security by saving the Salt and the Hash value it belongs to, the end value is calculated using the generated salt combined with the password from which the hash value was calculated, the password is not saved in your database but only the calculated Hash value, it means an evtl. Hacker cant do anything having only the Hash value and Salt.
如果使用Salting,您将通过保存它所属的Salt和Hash值来提高安全性,使用生成的salt结合计算哈希值的密码来计算结束值,密码不会保存在您的数据库中但是只计算出哈希值,它意味着一个evtl。黑客不能做任何只有Hash值和Salt的事情。
Read this
读这个
#1
6
From a security standpoint that is not necessary as long you only store the hashed password (NEVER store the cleartext password!) plus the salt... an attacker is "allowed" to know the salt - your security must be designed in a way that even with the knowledge of the salt it is still secure.
从安全的角度来看,只要你只存储哈希密码(不要存储明文密码!)加上盐......攻击者“被允许”知道盐 - 你的安全必须以一种方式设计即使有了盐的知识,它仍然是安全的。
What does the salt do ?
盐有什么作用?
Salt aids in defending against brute-force attacks using pre-computed "rainbow-tables".
Salt makes brute-force much more expensive (in time/memory terms) for the attacker.
Calculating such a table is expensive and usually only done when it can be used for more than one attack/password.
IF you use the same salt for all password an attacker could pre-compute such a table and then brute-force your passwords into cleartext...
As long as you generate a new (best cryptogrpahically strong) random salt for every password you want to store the hash of there is no problem.
Salt使用预先计算的“彩虹表”帮助抵御暴力攻击。对于攻击者来说,盐使暴力成本更高(在时间/内存方面)。计算这样一个表是很昂贵的,通常只有当它可以用于多个攻击/密码时才会这样做。如果您对所有密码使用相同的盐,则攻击者可以预先计算此类表,然后将您的密码暴力强制为明文...只要您为每个密码生成一个新的(最好的密码强)随机盐存储哈希没有问题。
As for your idea in "disguising" the salt
That is more of "security by obscurity" which should be avoided.
Although in this case I neither see any positive nor negative effect.
至于你在“掩饰”盐的想法更多的是“默默无闻的安全”,应该避免。虽然在这种情况下我既没有看到任何积极或消极的影响。
IF you want to strengthen the security further
You could calculate the hash several times over (hash the hash etc.) - this doesn't cost you much but it makes a brute-force attack / calculating "rainbow-tables" even more expensive... please don't invent yourself - there are proven standard methods to do so, see for example http://en.wikipedia.org/wiki/PBKDF2 and http://msdn.microsoft.com/en-us/library/system.security.cryptography.rfc2898derivebytes.aspx
如果你想进一步加强安全性你可以多次计算哈希值(散列哈希等) - 这不会花费你太多但是它使得暴力攻击/计算“彩虹表”更加昂贵。 ..请不要发明自己 - 有经过验证的标准方法,请参阅http://en.wikipedia.org/wiki/PBKDF2和http://msdn.microsoft.com/en-us/library /system.security.cryptography.rfc2898derivebytes.aspx
#2
#3
0
Just hash the Password and save the Hash value in your Database, once the User logs in again you calculate the Hash value of the passwort he enteres and compare it with the one saved in your Database, you dont need to know the password. a Hacker wouldnt be able to get the password if he gets the Hashvalue.
只需哈希密码并将哈希值保存在数据库中,一旦用户再次登录,您计算他进入的密码的哈希值,并将其与数据库中保存的密码进行比较,您不需要知道密码。如果黑客获得Hashvalue,黑客将无法获得密码。
If you Use Salting you will increase security by saving the Salt and the Hash value it belongs to, the end value is calculated using the generated salt combined with the password from which the hash value was calculated, the password is not saved in your database but only the calculated Hash value, it means an evtl. Hacker cant do anything having only the Hash value and Salt.
如果使用Salting,您将通过保存它所属的Salt和Hash值来提高安全性,使用生成的salt结合计算哈希值的密码来计算结束值,密码不会保存在您的数据库中但是只计算出哈希值,它意味着一个evtl。黑客不能做任何只有Hash值和Salt的事情。
Read this
读这个