问题描述

我使用的是 jBCrypt图书馆的注册时使用我的应用程序散列用户密码。

I am using the jBCrypt Library to hash user passwords when they register using my app.

我使用的基本散列函数，与盐，像这样：

I am using the basic hash function, with a salt, like so:

String pass = BCrypt.hashpw(rawPass, BCrypt.gensalt());

我注意到一个一到两分钟的车挂登记，并检查调试，确认BCrypt负责的时候。

I noticed a one to two minute hang when registering, and checked the debugger, confirming BCrypt was responsible.

是否盐腌密码真正承担的的的处理能力？如果是这样，将一个很好的选择是发送明文密码外面的服务器散列呢？我对此事的最初的想法是哈希它也得到了发送的任何地方了。任何想法？

Does salting the password really take that much processing power? If so, would a good alternative be to send the plaintext password out to the server to hash it? My original thought on the matter was to hash it before it got sent anywhere. Any ideas?

推荐答案

下面是的，其中列出了Core 2 Duo处理器采取了一个苹果笔记本电脑的时代。所以，是Bcrypt很可能是在移动设备上非常缓慢。

Here is an article which lists the times taken on a Mac laptop with a Core 2 Duo processor. So, yes, Bcrypt is likely to be very slow on a mobile device.

另一个常见的​​问题是 SecureRandom的的初始化可以是非常慢，并且还可以由于挂在缺乏足够的随机数据。这将不同的机器和操作系统之间变化。你会发现很多在别处的讨论，但它的东西，你可能想测试或者使用初始化它自己的新SecureRandom（）或致电 gensalt 单独隔离的随机数据生成，然后只是时间调用 hashpw 。

Another common problem is the initialization of SecureRandom which can be very slow and may also hang due to the lack of enough random data. This will vary between different machines and operating systems. You'll find plenty of discussion of that elsewhere, but it's something you might want to test either initializing it yourself using new SecureRandom() or by calling gensalt separately to isolate the random data generation and then just time the call to hashpw.

另外一个问题是，为什么你真的想哈希它在客户端上？如果你将其存储在客户端并登录本地，那么这可能会让一些道理，但如果它被发送到服务器，并正常登录包括发送明文密码到服务器，那么你不会获得任何东西。此外，一个常见的​​误解是，它发送到服务器（在登录时）之前散列密码提供了一些保护，但实际上它相当于发送明文密码。攻击者只有获得散列，以便能够获得

Another question is why you actually want to hash it on the client? If you are storing it on the client and logging in locally, then that may make some sense, but if it is being sent to a server and a normal login involves sending a plaintext password to the server then you aren't gaining anything. Also, a common misconception is that hashing a password before sending it to the server (when logging in) offers some protection, when in fact it is equivalent to sending the plaintext password. An attacker only has obtain the hash to be able to gain access.

散列的口令是$ P $的手段获得访问（或至少减缓下来）应的密码存储本身受到损害pventing攻击者

Hashing passwords is a means of preventing an attacker from gaining access (or at least slowing them down) should the password store itself be compromised.

因此​​，如果密码被存储在服务器上，但是应当在明文发送（通过安全通道）和服务器应该使它是如何散列的决定

So if the password is stored on the server, it should be sent in plaintext (over a secure channel) and the server should make the decision on how it is hashed.

这篇关于使用jBCrypt在Android应用程序盐的密码会导致很长的挂的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！