问题描述
CREATE TABLE`users`(
```INTEGER PRIMARY KEY,
`name` TEXT,
`hashed_password` TEXT,
`salt` TEXT
)
创建用户时,会生成一个随机生成的盐,并将其存储在数据库中,并与 get_hash(salt + plaintext_password)。
我想知道如果恶意用户得到这些数据,他们是否可以使用它破解用户的密码?如果是这样,它可以防止的方式是什么?
不,它们不是没用的。 b
$ b
只要你为每一行使用一种独特的盐,盐就会阻止攻击。攻击者需要进行暴力攻击,而不是使用来对付密码哈希值。
正如评论中所提到的,你应该确保salt是一个合理的大小。
Let's say I have a table of users set up like this:
CREATE TABLE `users` (
`id` INTEGER PRIMARY KEY,
`name` TEXT,
`hashed_password` TEXT,
`salt` TEXT
)
When a user is created, a randomly-generated salt is produced and stored in the database alongside the results of something like get_hash(salt + plaintext_password).
I'm wondering that if a malicious user gets their hands on this data, would they be able to use it to crack users's passwords? If so, what's a way that it could be prevented?
No, they're not useless.
So long as you use a unique salt for each row, then the salt will slow down an attack. The attacker will need to mount a brute force attack, rather than using rainbow tables against the password hashes.
As mentioned in the comments, you should ensure that the salt is a sensible size.
这篇关于如果攻击者知道它们,那么盐是否对安全无用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!