java哈希加盐 加密密码_盐腌哈希密码简介

java哈希加盐 加密密码

When LinkedIn was hacked in 2012, many users were surprised to learn that their accounts were easily compromised due to the minimal security surrounding password encryption. LinkedIn used a technique known as password hashing, which enabled attackers to quickly brute-force hundreds of thousands of passwords within 72 hours.

当LinkedIn 在2012年遭到黑客攻击时 ,许多用户惊讶地发现,由于围绕密码加密的最低安全性,他们的帐户很容易遭到破坏。 LinkedIn使用了一种称为密码哈希的技术,该技术使攻击者能够在72小时之内快速暴力破解成千上万个密码 。

什么是密码哈希 (What is Password Hashing)

Password hashing is a simple way of storing users’ passwords in a database. Users enter their password, which is then inserted into a hash function that then maps the users password to a fixed-length string of random characters. Some common hash functions include MD5 and SHA256.

密码哈希是将用户密码存储在数据库中的一种简单方法。 用户输入他们的密码,然后将其插入到哈希函数中 ,该哈希函数随后将用户密码映射到固定长度的随机字符字符串。 一些常见的哈希函数包括MD5和SHA256。

Password hashing may seem secure on the surface, since users’ passwords are not stored in plain-text. However, what happens when two users use the same password? Or users use a common password such as “password” or “abc123”?

从表面上看,密码散列似乎是安全的,因为用户密码不是以纯文本格式存储的。 但是,当两个用户使用相同的密码时会发生什么? 还是用户使用诸​​如“ password”或“ abc123”之类的通用密码?

Image for post
An example username-password database using the SHA256 hashing function. Alice and Charlie share the same password “password” 使用SHA256哈希函数的示例用户名密码数据库。 爱丽丝和查理使用相同的密码“ password”

With password hashing, if two users use the same password they will have the same password hash. With common passwords, it’s even worse since there are many lists online with the most common passwords and their hashes. In this case, the passwords might as well be in plain-text, since attackers who can get their hands on your database will be able to quickly determine common passwords from their respective hashes.

使用密码哈希,如果两个用户使用相同的密码,则他们将具有相同的密码哈希。 使用通用密码,情况更糟,因为在线上有许多列表包含最通用的密码及其哈希值。 在这种情况下,密码也可能是纯文本格式的,因为可以使用您的数据库的攻击者将能够从各自的哈希中快速确定常用密码。

什么是盐? (What is a Salt?)

A salt is a random character string that is added to the beginning or the end of a password. This salt is unique to each user, and is stored in the database along with the username and salted-hashed password.

盐是添加到密码开头或结尾的随机字符串。 该盐对于每个用户而言都是唯一的,并与用户名和盐密密码一起存储在数据库中。

An example username-password database using the SHA256 hashing function with a salt. Alice and Charlie share the same password “password” but have different salts. 一个示例用户名-密码数据库,它使用带有盐的SHA256哈希函数。 爱丽丝(Alice)和查理(Charlie)使用相同的密码“ password”,但盐不同。

为什么要用盐? (Why use a Salt?)

Salts solve the collision problem that hash functions suffer from. Even if two users share the same password, as long as the salt for each user is unique, they will have a different salted-hashed password. Salts increase the search space that attackers use to try to brute-force passwords by increasing the complexity of each password. The best part about salts is that they increase the complexity of each users’ password without any additional effort from the user.

盐解决了哈希函数遭受的冲突问题。 即使两个用户共享相同的密码,只要每个用户的密码都是唯一的,他们将具有不同的密码哈希密码。 盐增加了每个密码的复杂性,从而增加了攻击者用于尝试暴力破解密码的搜索空间。 关于盐的最好之处在于,它们增加了每个用户密码的复杂性,而无需用户付出任何额外的努力。

如何实施? (How is it implemented?)

Salts should be randomly generated on the developers’ side when a user creates their password. Different programming languages may have built-in methods or rely on libraries to create random fixed-length strings. Once the salt is generated, it should be added either at the beginning or the end of the password before being sent to the hashing function like so:

用户创建密码时,应在开发者一方随机生成盐。 不同的编程语言可能具有内置方法,或依赖于库来创建随机的固定长度字符串。 生成盐后,应在将其发送到哈希函数之前将其添加到密码的开头或结尾,如下所示:

Salted-Hash = SHA256(password + salt)

Salted-Hash = SHA256(密码+盐)

常见错误 (Common Mistakes)

The two most common mistakes with salts are salt reuse and short salt.

盐的两个最常见的错误是盐再利用短盐。

Salt reuse occurs when a developer uses the same salt for each password and basically makes the salt useless. Users with the same password will have the same salted-hashed password and if an attacker can guess the salt, they can brute-force the passwords with ease.

当开发人员为每个密码使用相同的盐并基本上使盐无用时,就会发生盐重用 。 具有相同密码的用户将具有相同的哈希密码,并且如果攻击者可以猜到盐,他们可以轻松地对密码进行暴力破解。

Short salt refers to a salts’ length being too short. The problem with this is that attackers can simply generate each combination of characters with that length and pair it with common passwords to brute-force some of your users’ password.

短盐是指盐的长度太短。 这样做的问题是,攻击者可以简单地生成具有该长度的每个字符组合,并将其与常用密码配对,以蛮力地强制使用某些用户的密码。

翻译自: https://medium.com/swlh/introduction-to-salted-hashed-passwords-d19bd6f92480

java哈希加盐 加密密码

你可能感兴趣的:(java,https,md5,哈希表,哈希)