dongpiansui8755 2011-01-28 23:51
浏览 51
已采纳

哈希盐的复杂性

Is there any benefit to using:

sha1($long_unpredictable_randomly_generated_salt.$password.$global_salt)

over 

sha1(sha1($username).$password.$global_salt)

The unique salt is obviously stored in the database, while the global salt is in a configuration file on the server.

I know the purpsoe of a salt is just to be unique, and prevent pre-calculated hash tables.. so I see no reason the long hash generated by sha1($username) is not good enough.. but as security is very important, I thought i'd ask for informative advice here from somebody who may know better :-)

  • 写回答

1条回答 默认 最新

  • dongquan6030 2011-01-29 00:10
    关注

    The disadvantage is that the username is mostly known, so when someone knows this 'formula' you made up, he can just calculate sha1(user_to_hack) and this part won't have any additional benefit. In fact, it won't matter much if you use sha1(username) or just username in this case.

    In the other case, you're using a value that is not exposed, so even when someone knows your formula (which everybody knows now), he'll still needs the value of that unique salt too before it's any use to them, so they'll need to get to your database. I assume you're making up a unique salt for each user?

    You'll probably need to get data anyway, so the unique salt is probably faster too, because you won't need to calculate the hash over username.

    But anyway, both are pretty safe, but only if you implement the actual login procedure well. I wouldn't worry about which one to use right now.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 mmocr的训练错误,结果全为0
  • ¥15 python的qt5界面
  • ¥15 无线电能传输系统MATLAB仿真问题
  • ¥50 如何用脚本实现输入法的热键设置
  • ¥20 我想使用一些网络协议或者部分协议也行,主要想实现类似于traceroute的一定步长内的路由拓扑功能
  • ¥30 深度学习,前后端连接
  • ¥15 孟德尔随机化结果不一致
  • ¥15 apm2.8飞控罗盘bad health,加速度计校准失败
  • ¥15 求解O-S方程的特征值问题给出边界层布拉休斯平行流的中性曲线
  • ¥15 谁有desed数据集呀