问题描述
我想知道使用哪种方法在数据库中存储密码。我已经使用MD5实现了它,但是根据一些帖子,SHA1更安全。还有其他更安全的方法吗?
请帮助我找出保护密码的最佳方法。
I would like to know which method to use to store passwords in database. I have implemented it using MD5 but according to some posts SHA1 is more secure. Is there any other method which is more secure?Please help me finding out a best method to secure passwords.
推荐答案
肯定SHA1比MD5更安全,但是
Sure SHA1 is more secure that MD5, but for most purposes it is not secure enough.
您可能会发现视频-9分钟24秒。
You will probably find useful the video How NOT to Store Passwords by Computerphile - 9 minutes and 24 seconds long.
您必须意识到
您已经知道,您不存储密码。实际上,在存储密码时,一般来说,您想使用为此目的而优化的现代算法来存储密码的哈希值。对于盐而言,可以将其存储在哈希中,对于盐而言,可以使用尽可能长的随机值。
As you already know, you don't store the password. In fact, when it comes to storing passwords, in general terms you want to store salted hashes of the passwords, using a modern algorithm optimized for this purpose. For the salt it is considered ok to store it alongside to the hash, for the salt value use a random value as long as possible.
注意:出于安全目的生成随机值时,请使用加密的安全生成器(例如-)。这种随机数生成器的设计难以预测。尽管标准随机数生成器具有可重复性(即您所需要做的就是生成所有值的种子,并且猜测您所需的种子就是用同一种子生成的足够的连续值。
Note: When generating random value for security purposes, use a cryptographic secure generator (such as a subclass of RandomNumberGenerator for .NET - example). This random number generator are designed to be hard to predict. While standard random number generator are meant to be repeatable (That is with System.Random all you need is the seed to generate all the values, and to guess the seed all you need is enough consecutive values generated with the same seed).
也请注意:大多数哈希值都经过优化,可以快速计算,在该类别中,MD5和SHA1均属于此类。 您应该选择一个速度不太快的 ,这样,在尝试破解密码时,攻击将花费合理的时间来计算哈希。
Also note: Most hashes are optimized to be fast to calculate, in that category falls both MD5 and SHA1. You should choose one that is not that fast, so that the attack will take a reasonable amount of time to compute the hashes when trying to crack your passwords.
一个这样的算法是BCrypt-其他算法包括Scrypt和PBKDF2-在使用C#的BCrypt时,您会发现使用Use a ary = http://www.codeproject.com/Articles / 475262 / UseplusBCryptplustoplusHashplusYourplusPasswords-3 rel = noreferrer> BCrypt哈希密码:C#和SQL Server的示例很有用。如果您无法使用BCrypt或类似算法,则应至少使用SHA2的变体(SHA256,SHA512等)。
One such algorithm is BCrypt - others include Scrypt and PBKDF2 - on using BCrypt from C# you will find the article Use BCrypt to Hash Your Passwords: Example for C# and SQL Server useful. If you can't resource to BCrypt or similar algorithm, you should atleast use a variant of SHA2 (SHA256, SHA512 and so on).
附录:您可以使用在BLC中作为密钥派生功能,将盐作为密钥传递。最好在盐之前或之后添加盐(可能会落入)。也就是说,如果您使用HMAC,并且您的哈希算法很容易受到长度扩展攻击(已知或将要发现)的攻击,则您的系统将一直处于安全状态。 MD5,SHA1和SHA2容易受到这种攻击。 SHA3不是。遗憾的是,SHA3没有包含在BLC中(不,它不是SHA384),您可以从或。我不得不提到,SHA3在硬件上实现时也设计得很快。记住,对于密码,散列效果最好。
Addendum: You can use the class HMACSHA256 which is available in the BLC as a key derivation function, pass your salt as key. This is preferible to appending or prepending the salt (which could fall to Length extension attacks). That is, if you use HMAC, and your hash algorithm is vulerable to Length extension attacks (known or to be discovered), your system is till secure. MD5, SHA1 and SHA2 as suceptible to this kind of attack. SHA3 is not. Sadly SHA3 is not included in the BLC (no, it is not SHA384), you can get it from Multiformats.Hash or HashLib. I have to mention that SHA3 is also designed to be fast when implemented in hardware. And remember, for passwords an slow hash is better.
如,此答案应更新为提及。
As it was pointed a year ago this answer should be updated to mention of Argon2. I did write the original answer before that existed.
当时,我还没有找到我愿意推荐的C#实现。自从这个答案引起我的注意之后,我有了另一种眼光,现在不再如此。
At the time, I had not found an implementation for C# that I was willing to recommend. Since this answer was brought to my attention, I had another look, and that is no longer the case.
您可以使用具有完全托管的代码(它不是C#为C ++实现绑定,但具有完整的C#代码),可在所有主要平台上使用,并且有Nugets可用。
You can use Isopoh.Cryptography.Argon2 which has fully managed code (it is not a C# binding for a C++ implementation, but full C# code), works on all major platforms and there are Nugets available.
说明:
- 使用
Argon2Version.Nineteen。这是Argon2 v.1.3(Nineteen = 0x13),它修复了已知漏洞。 - 使用
Argon2Type.DataDependentAddressin(Argon2d),或者使用TimeCost> = 10 Argon2Type.DataIndependentAddressing(Argon2i) >。理论上讲,Argon2d容易受到侧通道攻击,因此不建议在客户端计算机上运行的代码使用Argon2d。Isopoh.Cryptography.Argon2通过使用操作系统调用来防止敏感内存移动到虚拟内存/页面文件/交换并尽快将其归零,从而缓解了这种情况。另一方面,Argon2i具有时间记忆权衡漏洞,该漏洞允许通过使用更多内存来更快地计算哈希。论文显示,您需要进行10次迭代/遍历
- Use
Argon2Version.Nineteen. This is Argon2 v.1.3 (Nineteen = 0x13) which fixes known vulnerabilities. - Use
Argon2Type.DataDependentAddressin(Argon2d), or useArgon2Type.DataIndependentAddressing(Argon2i) withTimeCost >= 10. Argon2d is in theory vulnerable to side channel attacks, as such it is not recommended for code that runs on client machines.Isopoh.Cryptography.Argon2mitigates this by using OS calls to prevent sensitive memory to be moved to virtual memory/pagefile/swap and zero it as soon as possible. On the other hand Argon2i has a Time-memory tradeoff vulnerability, which allows to compute the hashes faster by using more memory. The paper Towards Practical Attacks on Argon2i and Balloon Hashing shows that you need 10 iterations/passes to make the exploit inefficient, even in Argon2 v.1.3.
在这里推荐一些漏洞,即使在Argon2 v.1.3中也是如此。阅读:
Here are some recommended reading:
- Speed Hashing
- You're Probably Storing Passwords Incorrectly
- Everything you ever wanted to know about building a secure password reset feature
- The definitive guide to form based website authentication
- OWASP's Password Storage Cheat Sheet
- OWASP's Forgot Password Cheat Sheet
另外视频:-Google Tech Talk-2009年8月5日-54分钟32秒。
Also the video: Crypto is Back! - Google Tech Talk - August 5, 2009 - 54 minutes and 32 seconds long.
首先,请注意。密码恢复选项的目的不是恢复密码,而是恢复对应用程序的访问。那么...您如何恢复对该应用程序的访问权限?
First off: don't. The point of the password recovery option is not to recover the password, but to recover access to the application. So... how do you recover access to the application?
我很高兴您提出问题。您需要的是验证用户身份的另一种方法。这可能是第二因素身份验证(从安全性问题到使用硬件密钥生成器的任何事情)。但是,通常要做的是在第三方上获取资源,例如邮件。
I'm glad you ask. What you need is an alternative way to verify the identity of the user. This could be a second factor authentication (anything from security question to using a hardware key generator). Yet, what is often done is to resource on third party, such as mail.
因此,您想知道用户是否是电子邮件(或手机)的所有者。 ,或其他)用户事先拥有的所有权。为此,您需要向该电子邮件(或其他任何电子邮件)发送代码(通常称为令牌或cookie)。这必须是使用密码安全生成器随机生成的代码,这样,除了该电子邮件的所有者(或其他任何人)之外,没有其他人能够知道该代码是什么。
So, you want to know if the user is the owner of the email (or cellphone, or whatever) the user has previouly claim to own. In order to do so you send a code (often refered as token or cookie) to that email (or whatever). This must be a random generated code with a cryptographic secure generator so that nobody else - except the owner of that email (or whatever) - will be able to know what that code is.
现在,如果用户向您的应用程序提供该代码,则您几乎可以确认是正确的用户。
Now, if the user presents to your application that code, you are almost sure it is the right user.
几乎是,因为:电子邮件(或其他任何东西)可能已存储在不安全的位置。为了减轻这种情况,您想对代码(cookie或令牌)设置时间限制。另外,如果使用了代码,则它应该不再次工作。为了获得额外的安全性,您可以使用CAPTCHA,以确保此代码不是来自幸运的机器人。
Almost because: emails (or whatever) could has been stored in an unsecure location. To mitigate that, you want to put a time limit on your code (cookie or token). Also, if a code has been used, it should NOT work again. And for extra security you could resource to a CAPTCHA, to ensure this code doesn't come from a bot that just got lucky.
有关此主题的更多信息(此链接也在上面显示):
For more on this topic (this links are also presented above):
- Everything you ever wanted to know about building a secure password reset feature
- OWASP's Forgot Password Cheat Sheet
这篇关于散列密码的最佳做法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!