問題描述

我正在創(chuàng)建一個游戲社區(qū)網(wǎng)站，我打算盡快向公眾發(fā)布.目前，我正在處理密碼和登錄信息.我之前只使用過 MD5，但我已經(jīng)閱讀了有關(guān)密碼安全的文章，并聽說目前可以使用 salting.

I'm in the process of creating a gaming community site that I'm aiming to release to the public soon. Currently, I'm working on passwords and logins. I've only used MD5 before, but I've read about password safety and heard that salting is currently the way to go.

這是我的計(jì)劃:每個用戶都有自己獨(dú)特的 12 個隨機(jī)字符(#/¤& 等)，存儲在 users 表中.鹽在注冊時與密碼一起散列(使用 SHA-256)，并在登錄時重新散列.

Here's my plan: Every user has their own unique salt of 12 random characters (#/¤& etc), stored in the users table. The salt is hashed (using SHA-256) along with the password on registration, and re-hashed on login.

這聽起來如何?我有什么可以改進(jìn)的嗎?我應(yīng)該選擇 SHA-512 和更長的鹽，還是這樣就足夠了?

How does this sound to you? Anything I can improve? Should I go for SHA-512 and a longer salt, or is this enough?

推薦答案

您建議的 12 個字節(jié)應(yīng)該是鹽的足夠長度.這需要字典攻擊來準(zhǔn)備 2⁹⁶ 個散列密碼數(shù)據(jù)庫.總有一天，這對破解者來說可能是一項(xiàng)微不足道的操作，但我們離實(shí)現(xiàn)這一目標(biāo)還有很長的路要走.

Your suggestion of 12 bytes should be an adequate length for a salt. That would require a dictionary attack to prepare 2⁹⁶ databases of hashed passwords. Someday this might be a trivial operation for a cracker, but we're still a ways off from that.

NIST 推薦 SHA256，因?yàn)樗哂凶銐虻拿艽a散列強(qiáng)度，至少目前是這樣.

SHA256 is recommended by NIST as having adequate hashing strength for passwords, at least for now.

如果您想探索更強(qiáng)大的密碼安全方法，請研究密鑰強(qiáng)化技術(shù)，例如 PBKDF2，或使用 Bcrypt 進(jìn)行自適應(yīng)散列.但是這些在 SQL 中沒有直接支持.您必須在應(yīng)用程序代碼中進(jìn)行散列，然后將散列摘要發(fā)布到您的數(shù)據(jù)庫中.

If you want to explore even stronger methods of password security, look into key-strengthening techniques like PBKDF2, or adaptive hashing with Bcrypt. But these have no direct support in SQL. You'd have to do the hashing in application code and then post the hash digest to your database.

對于游戲網(wǎng)站來說，這似乎是一種過度的安全措施，但這樣做是一種很好的做法.因?yàn)樵S多用戶(不明智地)使用相同的密碼登錄游戲和登錄銀行！您不想為間接導(dǎo)致重大損失的身份驗(yàn)證違規(guī)行為負(fù)責(zé).

It may seem like security overkill for a gaming site, but it's a good practice to do it. Because many users (inadvisably) use the same password for their gaming login as they do for their banking login! You don't want to be responsible for an authentication breach that leads indirectly to major losses.

這篇關(guān)于我的密碼鹽應(yīng)該多長時間，SHA-256 是否足夠好?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！