问题描述
我在我的mysql数据库中有一个用户表,它有一个密码列。目前,我使用MD5算法来散列用户密码以存储在数据库中。现在我想认为我是安全良心人士。我在阅读MySQL文档时注意到他们不推荐MD5或SHA / SHA1哈希方法,但不提供替代方法。
在MySQL中密码的最佳方式是什么?在PHP和MySQL中原生支持的函数对于我当前的实现来说是理想和必要的。
谢谢!
不一定你不应该使用MD5,因为它不应该只使用 MD5,因为这会让你容易受到彩虹 - 表攻击(彩虹表是一个预先计算的散列值表 - 如果你的密码甚至是远程常见或简单的,攻击者只需要查找散列并且知道你的明文密码。)
至少您应该为每个密码添加一个salt,以便任何现有的彩虹表都没有用,从而迫使攻击者仅为您的密码数据库生成一个全新的彩虹表。
更好的办法是对数据库中的每个密码使用不同的salt,例如与其关联的用户名,以便攻击者甚至不能为整个数据库生成彩虹表nd必须单独破解每个条目。
MD5也是一个非常快速的算法。当谈到破解时,速度是敌人 - 生成哈希需要的时间越长,黑客每做出一次尝试的时间就越长。简单的事情就像每次用新的附加盐散列100次明文一样,对于登录到您的站点的用户来说几乎不可察觉(如果有的话),但它会增加用同样的方式强制密码所花费的时间100倍。
更详细的内容如下:
I have a user table in my mysql database that has a password column. Currently, I use the MD5 algorithm to hash the users' password for storage in the database. Now I like to think that I am a security conscience person. I noticed while reading the MySQL docs that they don't recommend MD5 or the SHA/SHA1 hashing methods, but don't offer an alternative.
What would be the best way to hash my passwords in MySQL? A function that is natively supported in both PHP and MySQL would be ideal and necessary with my current implementation.
Thanks!
It's not necessarily that you shouldn't use MD5, as much it's that you shouldn't use just MD5, as this leaves you vulnerable to rainbow-table attacks (a rainbow table is a table of precomputed hash values - if your password is even remotely common or simple, the attacker needs merely to look up the hash and he knows your plaintext password.)
At the very least you should add a salt to every password so that any existing rainbow table is useless, forcing the attacker to generate an entire new rainbow table just for your database of passwords.
Better still is to use a different salt for every password in your database, say the username it's associated with, so that an attacker can't even generate a rainbow table for your whole database and has to crack each entry separately.
MD5 is also a very fast algorithm. Speed is the enemy when it comes to cracking - the longer it takes to generate a hash, the longer it takes for each attempt a hacker makes. Something simple like hashing the plaintext 100 times with a new additional salt each time would be barely perceptible (if at all) to a user logging in to your site, but it would increase the time it takes to brute-force a password by the same 100 times.
Far, far more detail here: http://www.codinghorror.com/blog/archives/000953.html
这篇关于在MySQL中使用什么函数来散列密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!