问题描述
也请阅读更新,因为我的实际困惑"在那里.
自从Joomla以来,它一直很安静!开始支持bcrypt散列算法,以及自Joomla以来事实上的md5 + salt! 1.5.
It has been quiet sometime, since Joomla! started supporting the bcrypt hashing algorithm, alongside the md5 + salt that has been the defacto since Joomla! 1.5.
现在我的问题是作为最终用户,如果立即开始使用Bcrypt,与当前算法相比,MD5 + salt会给我带来什么好处?对于普通博客来说,它甚至没有任何区别吗?每天有几百个访客?"
Now my question is "As an end user, what benefits do I get if I start using Bcrypt right away, In comparison to the current algorithm viz. MD5 + salt? Does it even make any difference for a normal blog with a few hundred visitors daily?"
更新:-
我还读到某个地方,由于md5散列的速度快,我的密码可以在大多数情况下几天/几个月内轻松计算出来.
Also I read somewhere that due to the speed of md5 hashing, My password could be easily calculated in a matter of days/months @ most.
但这是否不要求我的哈希已经与攻击者进行比较?而且,如果他/她首先没有哈希,那么我使用的哈希算法将如何影响我的网站安全性?最终他最终还是不得不反抗暴力登录我的登录页面?
But does this not require my hash to already be present with the attacker to compare to?And If he/she doesn't have the hash in the first place, then how does the hashing algorithm that I use, affect my sites security? And eventually he ends up having to Brute Force my login page anyways?
并且如果通过暴力破解来解决问题,那么Bcrypt是否同样容易受到密码猜测的影响?
And if its down to Brute Forcing their way through, then isn't Bcrypt equally vulnerable to password guessing?
注意:为什么要投票,这是最终用户的逻辑关注点. :(
Note: Why the downvotes, this a logical concern as an end user. :(
推荐答案
首先,不.许多站点都允许没有速率限制的登录尝试.使用MD5,假设服务器可以处理它,那么用户只需快速连续尝试许多密码,就可以非常快速地尝试暴力破解密码. bcrypt的缓慢性保证了这种尝试的速度会慢得多.
First, no. Many sites allow login attempts without a rate limit. With MD5, assuming the servers can handle it, a user could very rapidly attempt to brute-force passwords just by trying lots of passwords in quick succession. bcrypt's slowness guarantees that such an attempt will be much slower.
第二,计算中的关键安全概念是深度防御.您不只需要一种安全级别-意外编写一个SQL注入漏洞很容易,它可能会让攻击者转储密码哈希.通过使用bcrypt,您可以限制此类漏洞可能导致的损坏.
Second, a key security concept in computing is defense in depth. You don't want just one level of security - it's fairly easy to accidentally write a SQL injection vulnerability that might let an attacker dump password hashes. By using bcrypt, you limit the damage such a vulnerability can cause.
这篇关于Bcrypt比md5 +盐更好吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!