Bcrypt 比 md5 + salt 好在哪里?

2022-01-06 00:00:00 hash md5 php bcrypt joomla

也请阅读更新,因为我的实际困惑"就在那里.

自从 Joomla!开始支持 bcrypt 散列算法,同时支持 md5 + salt 自 Joomla!1.5.

It has been quiet sometime, since Joomla! started supporting the bcrypt hashing algorithm, alongside the md5 + salt that has been the defacto since Joomla! 1.5.

现在我的问题是作为最终用户,如果我立即开始使用 Bcrypt,我会得到什么好处,与当前的算法相比,即.MD5 + salt?对于一个每天有几百个访问者的普通博客来说,它甚至有什么不同吗?"

Now my question is "As an end user, what benefits do I get if I start using Bcrypt right away, In comparison to the current algorithm viz. MD5 + salt? Does it even make any difference for a normal blog with a few hundred visitors daily?"

更新:-

另外我在某处读到,由于 md5 散列的速度,我的密码可以在几天/几个月@most 内轻松计算.

Also I read somewhere that due to the speed of md5 hashing, My password could be easily calculated in a matter of days/months @ most.

但这是否不需要我的哈希值已经存在于攻击者那里以进行比较?如果他/她首先没有散列,那么我使用的散列算法如何影响我的网站安全?最终他还是不得不暴力破解我的登录页面?

But does this not require my hash to already be present with the attacker to compare to? And If he/she doesn't have the hash in the first place, then how does the hashing algorithm that I use, affect my sites security? And eventually he ends up having to Brute Force my login page anyways?

如果归结为暴力破解,那么 Bcrypt 不是同样容易受到密码猜测的影响吗?

And if its down to Brute Forcing their way through, then isn't Bcrypt equally vulnerable to password guessing?

推荐答案

但这是否不需要我的哈希值已经存在于攻击者那里以进行比较?如果他/她首先没有散列,那么我使用的散列算法如何影响我的网站安全?最终他还是不得不暴力破解我的登录页面?

But does this not require my hash to already be present with the attacker to compare to? And If he/she doesn't have the hash in the first place, then how does the hashing algorithm that I use, affect my sites security? And eventually he ends up having to Brute Force my login page anyways?

首先,没有.许多站点允许没有速率限制的登录尝试.使用 MD5,假设服务器可以处理它,用户可以通过快速连续尝试大量密码来非常快速地尝试暴力破解密码.bcrypt 的缓慢保证了这样的尝试会慢得多.

First, no. Many sites allow login attempts without a rate limit. With MD5, assuming the servers can handle it, a user could very rapidly attempt to brute-force passwords just by trying lots of passwords in quick succession. bcrypt's slowness guarantees that such an attempt will be much slower.

其次,计算中的一个关键安全概念是深度防御.您不会只想要一个安全级别 - 很容易意外编写一个 SQL 注入漏洞,这可能会让攻击者转储密码哈希.通过使用 bcrypt,您可以限制损害此类漏洞可能导致的损害.

Second, a key security concept in computing is defense in depth. You don't want just one level of security - it's fairly easy to accidentally write a SQL injection vulnerability that might let an attacker dump password hashes. By using bcrypt, you limit the damage such a vulnerability can cause.

相关文章