BCrypt 生成 + 硬编码 Salt:这样更安全吗?
BCrypt generated + hard-coded Salt: Is this more safety?
我找到了一篇关于 BCrypt 的博客post,我不确定在密码中添加硬编码的 Salt“^Y8~JJ”有什么好处?
包含盐和加密密码的 'hashToStoreInDatabase',但不包含硬编码盐 'Y8~JJ'。因此,如果有人窃取了数据库,那么黑客用盐(包含在数据库中)和散列密码生成自己的彩虹表是没有用的,因为他们永远不会获得硬编码的盐 'Y8~JJ'.
(我知道将 salt 和 passwordhash 保存在一起已经很安全了,因为生成 rainbowtable 很昂贵)
是否推荐使用 BCrypt?
引用自:https://www.codeproject.com/articles/475262/useplusbcryptplustoplushashplusyourpluspasswords
private void SetPassword(string user, string userPassword)
{
string pwdToHash = userPassword + "^Y8~JJ"; // ^Y8~JJ is my hard-coded salt
string hashToStoreInDatabase = BCrypt.HashPassword(pwdToHash, BCrypt.GenerateSalt());
using (SqlConnection sqlConn = new System.Data.SqlClient.SqlConnection(...)
{
sqlConn.Open();
SqlCommand cmSql = sqlConn.CreateCommand();
cmSql.CommandText = "UPDATE LOGINS SET PASSWORD=@parm1 WHERE USERNAME=@parm2";
cmSql.Parameters.Add("@parm1", SqlDbType.Char);
cmSql.Parameters.Add("@parm2", SqlDbType.VarChar);
cmSql.Parameters["@parm1"].Value = hashToStoreInDatabase;
cmSql.Parameters["@parm2"].Value = user;
cmSql.ExecuteNonQuery();
}
}
private bool DoesPasswordMatch(string hashedPwdFromDatabase, string userEnteredPassword)
{
return BCrypt.CheckPassword(userEnteredPassword + "^Y8~JJ", hashedPwdFromDatabase);
}
其实叫pepper。盐存储在 DB 中,但胡椒粉存储在其他地方,然后是 DB。
维基百科声明为;
A pepper performs a comparable role to a salt, but while a salt is not secret (merely unique) and can be stored alongside the hashed output, a pepper is secret and must not be stored with the output. The hash and salt are usually stored in a database, but a pepper must be stored separately (e.g. in a configuration file) to prevent it from being obtained by the attacker in case of a database breach.
当数据库被攻破后,攻击者无法访问pepper,因此即使是弱密码也无法搜索密码。
总之,是推荐。
然而,Bcrypt 已经过时了。应该使用 Argon2 作为 password hashing competition.
的获胜者
我找到了一篇关于 BCrypt 的博客post,我不确定在密码中添加硬编码的 Salt“^Y8~JJ”有什么好处?
包含盐和加密密码的 'hashToStoreInDatabase',但不包含硬编码盐 'Y8~JJ'。因此,如果有人窃取了数据库,那么黑客用盐(包含在数据库中)和散列密码生成自己的彩虹表是没有用的,因为他们永远不会获得硬编码的盐 'Y8~JJ'.
(我知道将 salt 和 passwordhash 保存在一起已经很安全了,因为生成 rainbowtable 很昂贵)
是否推荐使用 BCrypt?
引用自:https://www.codeproject.com/articles/475262/useplusbcryptplustoplushashplusyourpluspasswords
private void SetPassword(string user, string userPassword)
{
string pwdToHash = userPassword + "^Y8~JJ"; // ^Y8~JJ is my hard-coded salt
string hashToStoreInDatabase = BCrypt.HashPassword(pwdToHash, BCrypt.GenerateSalt());
using (SqlConnection sqlConn = new System.Data.SqlClient.SqlConnection(...)
{
sqlConn.Open();
SqlCommand cmSql = sqlConn.CreateCommand();
cmSql.CommandText = "UPDATE LOGINS SET PASSWORD=@parm1 WHERE USERNAME=@parm2";
cmSql.Parameters.Add("@parm1", SqlDbType.Char);
cmSql.Parameters.Add("@parm2", SqlDbType.VarChar);
cmSql.Parameters["@parm1"].Value = hashToStoreInDatabase;
cmSql.Parameters["@parm2"].Value = user;
cmSql.ExecuteNonQuery();
}
}
private bool DoesPasswordMatch(string hashedPwdFromDatabase, string userEnteredPassword)
{
return BCrypt.CheckPassword(userEnteredPassword + "^Y8~JJ", hashedPwdFromDatabase);
}
其实叫pepper。盐存储在 DB 中,但胡椒粉存储在其他地方,然后是 DB。
维基百科声明为;
A pepper performs a comparable role to a salt, but while a salt is not secret (merely unique) and can be stored alongside the hashed output, a pepper is secret and must not be stored with the output. The hash and salt are usually stored in a database, but a pepper must be stored separately (e.g. in a configuration file) to prevent it from being obtained by the attacker in case of a database breach.
当数据库被攻破后,攻击者无法访问pepper,因此即使是弱密码也无法搜索密码。
总之,是推荐。
然而,Bcrypt 已经过时了。应该使用 Argon2 作为 password hashing competition.
的获胜者