I've been reading Stack Overflow questions for about 15 minutes now and every single one seems to contradict the previous one I read. Bcrypt, SHA1, MD5, and so on. I currently MD5 my passwords, but I want to make my database more secure in case of a breach.
我现在已经阅读了Stack Overflow大约15分钟的问题,而且每一个问题似乎与我之前阅读过的问题相矛盾。 Bcrypt,SHA1,MD5等。我目前MD5我的密码,但我想让我的数据库更安全,以防万一。
I know this has been asked a million times, but I can't seem to find a decent answer anywhere else.
我知道这已被问了一百万次,但我似乎无法在其他任何地方找到合适的答案。
Thanks.
谢谢。
6 个解决方案
#1
11
The reason you see contradictory answers is because there is no right one. You should use the most secure method that your application can support. More secure = more overhead.
你看到矛盾的答案的原因是因为没有正确的答案。您应该使用应用程序可以支持的最安全的方法。更安全=更多开销。
MD5 has been broken and cracked.
MD5已被打破并破裂。
According to this article, SHA1 is broken. However it has not yet been cracked.
根据这篇文章,SHA1被打破了。但它还没有被破解。
bcrypt has not (to the best of my knowledge) been found to be broken.
bcrypt没有(据我所知)被发现被打破。
Given enough CPU cycles, any hashing or encryption algorithm can eventually be circumvented. Your decision should balance the security of your data with the performance of your application.
给定足够的CPU周期,最终可以规避任何散列或加密算法。您的决定应该平衡数据的安全性和应用程序的性能。
Given those caveats, bcrypt is the defacto standard at this time. It is designed for strength, not speed, and is not known to be broken. For an index of information about bcrypt, see the bcrypt article on Wikipedia.
鉴于这些警告,bcrypt是目前的事实标准。它专为强度而非速度而设计,并且不为人所知。有关bcrypt的信息索引,请参阅Wikipedia上的bcrypt文章。
#2
9
I'd go with bcrypt. It drastically reduces the ability to generate rainbow tables.
我会选择bcrypt。它大大降低了生成彩虹表的能力。
http://codahale.com/how-to-safely-store-a-password/
http://codahale.com/how-to-safely-store-a-password/
It's important to note that salts are useless for preventing dictionary attacks or brute force attacks. You can use huge salts or many salts or hand-harvested, shade-grown, organic Himalayan pink salt. It doesn't affect how fast an attacker can try a candidate password, given the hash and the salt from your database.
重要的是要注意盐对于防止字典攻击或暴力攻击是无用的。您可以使用大盐或许多盐或手工采摘,遮荫种植,有机喜马拉雅粉红盐。考虑到数据库中的哈希值和salt,它不会影响攻击者尝试候选密码的速度。
#3
2
First of all, MD5 isn't a very good option nowadays. If an attacker would get to your database, and get the MD5 hashes, it is almost certain that he will be also able to crack them. MD5 hashes of weak passwords can be cracked even bruteforce by a casual computer.
首先,MD5现在不是一个很好的选择。如果攻击者进入你的数据库并获得MD5哈希值,那几乎可以肯定他也能够破解它们。弱密码的MD5哈希可以通过休闲计算机破解甚至暴力。
You should google some articles about salting your hashes, and use that method combined with a stronger hashing algorithm (at least SHA1), and maybe repeat the process few times.
你应该谷歌一些关于盐化你的哈希的文章,并使用该方法结合更强的哈希算法(至少SHA1),并可能重复几次这个过程。
I am not going to write about salting, as many articles have been already written about it, and also here on Stack Overflow you can find many good discussions about the problem. E.g. Why do salts make dictionary attacks 'impossible'? or How does password salt help against a rainbow table attack?
我不会写关于salting的文章,因为很多文章已经写过,而且在Stack Overflow上你可以找到很多关于这个问题的好讨论。例如。为什么盐使字典攻击“不可能”?或密码盐如何帮助对抗彩虹表攻击?
#4
1
Use MD5, SHA1 or whatever encryption you want with a SALT
.
在SALT中使用MD5,SHA1或任何所需的加密。
For this example, I'm just going to use MD5 for explanation sake.
对于这个例子,我只是为了解释而使用MD5。
So user chooses a password, store that in $password for instance.
因此用户选择密码,例如以$ password存储。
Now create a salt that's specific to your application.
现在创建一个特定于您的应用程序的salt。
$salt = 'my very own salt'; // or maybe make a random string for your salt
Then do
然后做
$more_difficult_password = md5($salt . $password);
This way people can't use dictionary attacks by just googling your MD5 string if it ever got compromised somehow.
这样人们就不会使用字典攻击,只要谷歌搜索MD5字符串,如果它以某种方式受到损害。
#5
1
When a user registers, create a random salt
using, for example, the following function:
当用户注册时,使用例如以下函数创建随机盐:
$bytes = 50;
$salt = base64_encode(openssl_random_pseudo_bytes($bytes));
Store this in a database table. The best is to store it in an external database. After this, create a random code and store it together with your salt into the external database. Than store the random code in your users table and it will almost be impossible for an attacker to find your salt.
将其存储在数据库表中。最好的方法是将其存储在外部数据库中。在此之后,创建一个随机代码并将其与salt一起存储到外部数据库中。然后将随机代码存储在用户表中,攻击者几乎不可能找到你的盐。
After this, store your password in, for example, this way:
在此之后,将密码存储在,例如,这样:
$password_to_store_in_mysql = hash('sha512', $salt . $user_password);
When a user logs in, get the salt out of the external database en check if the salt and the password match.
当用户登录时,从外部数据库中获取salt,检查salt和密码是否匹配。
#6
0
You can use secret key of your website and particular salt of every user with your password. Your secret key of your website should be saved in your database and then fetch it and use.
您可以使用您的密码来使用您的网站的密钥和每个用户的特定盐。您的网站密钥应保存在您的数据库中,然后获取并使用。
The combination becomes.
组合成了。
$secret = "your key from database";
$salt = "user salt";// make it randomly
$password = $_POST['password'];
$new_pass = md5($secret.$salt.$password);
Now this combinations will store in database.
现在这种组合将存储在数据库中。
At the time of login, use again this combination to match.
登录时,再次使用此组合进行匹配。
I think it can help more to secure your application.
我认为它可以帮助您更好地保护您的应用程序。
Cheers..!!
干杯..!!
#1
11
The reason you see contradictory answers is because there is no right one. You should use the most secure method that your application can support. More secure = more overhead.
你看到矛盾的答案的原因是因为没有正确的答案。您应该使用应用程序可以支持的最安全的方法。更安全=更多开销。
MD5 has been broken and cracked.
MD5已被打破并破裂。
According to this article, SHA1 is broken. However it has not yet been cracked.
根据这篇文章,SHA1被打破了。但它还没有被破解。
bcrypt has not (to the best of my knowledge) been found to be broken.
bcrypt没有(据我所知)被发现被打破。
Given enough CPU cycles, any hashing or encryption algorithm can eventually be circumvented. Your decision should balance the security of your data with the performance of your application.
给定足够的CPU周期,最终可以规避任何散列或加密算法。您的决定应该平衡数据的安全性和应用程序的性能。
Given those caveats, bcrypt is the defacto standard at this time. It is designed for strength, not speed, and is not known to be broken. For an index of information about bcrypt, see the bcrypt article on Wikipedia.
鉴于这些警告,bcrypt是目前的事实标准。它专为强度而非速度而设计,并且不为人所知。有关bcrypt的信息索引,请参阅Wikipedia上的bcrypt文章。
#2
9
I'd go with bcrypt. It drastically reduces the ability to generate rainbow tables.
我会选择bcrypt。它大大降低了生成彩虹表的能力。
http://codahale.com/how-to-safely-store-a-password/
http://codahale.com/how-to-safely-store-a-password/
It's important to note that salts are useless for preventing dictionary attacks or brute force attacks. You can use huge salts or many salts or hand-harvested, shade-grown, organic Himalayan pink salt. It doesn't affect how fast an attacker can try a candidate password, given the hash and the salt from your database.
重要的是要注意盐对于防止字典攻击或暴力攻击是无用的。您可以使用大盐或许多盐或手工采摘,遮荫种植,有机喜马拉雅粉红盐。考虑到数据库中的哈希值和salt,它不会影响攻击者尝试候选密码的速度。
#3
2
First of all, MD5 isn't a very good option nowadays. If an attacker would get to your database, and get the MD5 hashes, it is almost certain that he will be also able to crack them. MD5 hashes of weak passwords can be cracked even bruteforce by a casual computer.
首先,MD5现在不是一个很好的选择。如果攻击者进入你的数据库并获得MD5哈希值,那几乎可以肯定他也能够破解它们。弱密码的MD5哈希可以通过休闲计算机破解甚至暴力。
You should google some articles about salting your hashes, and use that method combined with a stronger hashing algorithm (at least SHA1), and maybe repeat the process few times.
你应该谷歌一些关于盐化你的哈希的文章,并使用该方法结合更强的哈希算法(至少SHA1),并可能重复几次这个过程。
I am not going to write about salting, as many articles have been already written about it, and also here on Stack Overflow you can find many good discussions about the problem. E.g. Why do salts make dictionary attacks 'impossible'? or How does password salt help against a rainbow table attack?
我不会写关于salting的文章,因为很多文章已经写过,而且在Stack Overflow上你可以找到很多关于这个问题的好讨论。例如。为什么盐使字典攻击“不可能”?或密码盐如何帮助对抗彩虹表攻击?
#4
1
Use MD5, SHA1 or whatever encryption you want with a SALT
.
在SALT中使用MD5,SHA1或任何所需的加密。
For this example, I'm just going to use MD5 for explanation sake.
对于这个例子,我只是为了解释而使用MD5。
So user chooses a password, store that in $password for instance.
因此用户选择密码,例如以$ password存储。
Now create a salt that's specific to your application.
现在创建一个特定于您的应用程序的salt。
$salt = 'my very own salt'; // or maybe make a random string for your salt
Then do
然后做
$more_difficult_password = md5($salt . $password);
This way people can't use dictionary attacks by just googling your MD5 string if it ever got compromised somehow.
这样人们就不会使用字典攻击,只要谷歌搜索MD5字符串,如果它以某种方式受到损害。
#5
1
When a user registers, create a random salt
using, for example, the following function:
当用户注册时,使用例如以下函数创建随机盐:
$bytes = 50;
$salt = base64_encode(openssl_random_pseudo_bytes($bytes));
Store this in a database table. The best is to store it in an external database. After this, create a random code and store it together with your salt into the external database. Than store the random code in your users table and it will almost be impossible for an attacker to find your salt.
将其存储在数据库表中。最好的方法是将其存储在外部数据库中。在此之后,创建一个随机代码并将其与salt一起存储到外部数据库中。然后将随机代码存储在用户表中,攻击者几乎不可能找到你的盐。
After this, store your password in, for example, this way:
在此之后,将密码存储在,例如,这样:
$password_to_store_in_mysql = hash('sha512', $salt . $user_password);
When a user logs in, get the salt out of the external database en check if the salt and the password match.
当用户登录时,从外部数据库中获取salt,检查salt和密码是否匹配。
#6
0
You can use secret key of your website and particular salt of every user with your password. Your secret key of your website should be saved in your database and then fetch it and use.
您可以使用您的密码来使用您的网站的密钥和每个用户的特定盐。您的网站密钥应保存在您的数据库中,然后获取并使用。
The combination becomes.
组合成了。
$secret = "your key from database";
$salt = "user salt";// make it randomly
$password = $_POST['password'];
$new_pass = md5($secret.$salt.$password);
Now this combinations will store in database.
现在这种组合将存储在数据库中。
At the time of login, use again this combination to match.
登录时,再次使用此组合进行匹配。
I think it can help more to secure your application.
我认为它可以帮助您更好地保护您的应用程序。
Cheers..!!
干杯..!!