问题描述

好的，我想了解使用盐的原因.

Ok, I’m trying to understand the reason to use salt.

当用户注册时，我会为他/她生成一个唯一的盐，并将其存储在数据库中.然后我用SHA1对它和密码进行哈希处理.当他/她登录时，我用sha1($salt.$password)重新哈希它.

When a user registers I generate a unique salt for him/her that I store in DB. Then I hash it and the password with SHA1. And when he/she is logging in I re-hash it with sha1($salt.$password).

但是，如果有人入侵了我的数据库，他可以看到哈希密码和密码.

But if someone hacks my database he can see the hashed password AND the salt.

要破解密码而不是不加盐就更难破解吗?我不明白...

Is that harder to crack than just hashing the password with out salt? I don’t understand …

对不起，如果我很愚蠢……

Sorry if I’m stupid …

推荐答案

如果您不使用盐，那么攻击者甚至可以在未将密码哈希到服务器中之前就对其进行离线预计算.大量添加盐会增加该数据库的大小，从而使执行此类攻击变得更加困难.

If you don't use a salt then an attacker can precompute a password<->hash database offline even before they've broken into your server. Adding a salt massively increases the size of that database, making it harder to perform such an attack.

此外，一旦他们被破解，他们就可以猜测一个常用的密码，对其进行哈希处理，然后检查数据库中的所有密码是否匹配.由于每个用户使用不同的密码，他们一次只能攻击一个密码.

Also, once they've broken in they can guess a commonly used password, hash it, and then check all of the passwords in the database for a match. With a different salt for each user, they can only attack one password at a time.

维基百科上有一篇有关加密盐的文章.

There's an article at Wikipedia about salts in cryptography.

这篇关于“盐"的目的是什么?什么时候散列?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！