问题描述

如果要在跨行发送用户密码并将其以纯文本格式保留在内存之前对其进行哈希处理，这会提高应用程序的安全性吗？

对于哈希，有些事情是不对的在客户端上。

在客户端上使用密码哈希是一种常见的做法吗？这样做还有其他优点或缺点吗？

编辑：
鉴于通信通道是安全的（SSL）。在什么条件下使用这种方法是可以接受的，也是值得的。我之所以这样问，是因为安全专家建议我在某些应用程序功能期间使用这种方案。

否。

客户端发送某物时，无论是 P 还是 H（P）或 H（H（P））任何拦截此内容的人都可以简单地重新发送事物，因此使任何类似的功能都等同于直接使用密码。

这就是为什么您应该使用；服务器可以发出一些随机垃圾 k ，客户端将计算 H（P，k）并将其发送到服务器。 是此方法的流行实现。

提供服务器从不两次接受同一随机数，这样可以防止重放攻击。

If you were to hash a user's password prior to sending it across the line and leaving it in plain-text in memory, would this improve the security of the application?

I would assume this mitigates a small fraction of vulnerabilities by protecting the data stored in the clients memory. But really if we're worried about someone reading the client's memory there are probably bigger problems that we can't address.

There's something that doesn't feel right about hashing on the client's end.

Is password hashing on the client end a common practice? Are there any other advantages or disadvantages to doing it?

EDIT:Given the communication channel is secure (SSL). Under what conditions would it be acceptable and worthwhile to use such an approach. I'm asking this because it was suggested by a "security professional" that I use such a scheme during some application functions.

No.

When the client sends something, whether it is P or H(P) or H(H(P)) anyone who intercepts this can simply resend the exact same thing, thus making any function like this equivalent to using the password directly.

That's why you should use a nonce; The server can give out some random garbage k and the client will calculate H(P,k) and send it to the server. HMAC is a popular implementation of this method.

Provided the server never accepts the same nonce twice, this is secure against a replay attack.

这篇关于在客户端哈希密码是否有意义？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！