您如何在 MySQL 中安全地存储用户的密码和盐?
所以,我在 SO 上发现您应该将密码与盐"一起散列.(文章可以在这里和这里.)
So, I found out on SO that you're supposed to hash the password together with a "salt". (The articles can be found here and here.)
代码如下:
$password = 'fish';
/* should be "unique" for every user? */
$salt= 'ABC09';
$site_key = 'static_site_key';
hash_hmac('sha1', $password . $salt, $site_key);
现在我需要在 MySQL 中同时保存 $password
和 $salt
,如下所示:
And now I need to save both the $password
and $salt
in MySQL, like so:
+---------+--------+----------+-------+
| user_id | name | password | salt |
+---------+--------+----------+-------+
| 1 | krysis | fish** | ABC09 |
+---------+--------+----------+-------+
** fish
当然会被散列而不是以纯文本形式存储.
** fish
will of course be hashed and not stored in plain text.
而且我只是想知道这样做是否真的有意义,因为这样是黑客或任何也知道盐的人?那么,如果他们破解密码并且看到它是 fishABC09
他们会自动知道密码是 fish
?或者他可能永远"无法破解密码,因为他不知道 secret_key
,因为它没有存储在数据库中?
And I'm just wondering whether or not it actually makes sense to do it this way, because this way a hacker or whoever will also know the salt? So, if they crack the password and the see it's fishABC09
they automatically will know the password is fish
? Or might he "never" be able to crack the password because he doesn't know the secret_key
, as it isn't stored in the database?
如果我没有任何意义,我很抱歉.我只是一直使用 sha1
作为密码,今天我发现这些文章谈到了添加 salt
.
I'm sorry if I'm not making any sense. I just always used sha1
for passwords, and today I found these articles that talked about adding a salt
.
推荐答案
有关于正确存储密码的好文章.例如其中之一:存储密码 - 做得对!
There are good articles about storing passwords right. One of them for example: Storing Passwords - done right!
您应该为每个用户使用不同的盐,但无需单独存储盐.在another thread
You should use different salt for every user, but there's no need to store the salts separately. See similar discussion in another thread
顺便说一句,您可能不应该使用 sha1,但例如sha256 或 sha512 更强大的东西(至少避免不良宣传).对此有一个很好的答案:不安全程度如何加盐 SHA1 与加盐 SHA512
By the way, you probably shouldn't be using sha1 but e.g. sha256 or sha512 something stronger instead (at least to avoid bad publicity). There's a good answer regarding this: How insecure is a salted SHA1 compared to a salted SHA512
相关文章