password salt storing
I want to update my password setup that is currently using just MD5.
Now what I would like to do is use something stronger (maybe sha256) with unique salt per user.
The question is about the salt storage.
Do I go with storing the salt in its own column in the database?
Then hash salt + password and when it comes to login, call the salt and password from the database, to make one.
Or do I go the way of making a salt, by using the username, email and timestamp which would also give me a unique salt per user?
I am wondering, if someone got a hold of the database with salt as a column, they would know the salt for each user, then they could crack the password.
The salt is not a secret, it can be stored plaintext together with the hash. It is not even necessary to have a second field in the database. If you look at PHP's crypt()
function, you can see, that the salt will be included in the hash value itself.
It's the job of the salt, to make already existing rainbowtables useless, because a rainbowtable has to be built for one specific salt. Using a different salt for every hash will prevent rainbowtable attacks, because you would have to create a rainbowtable for each hash. That's why it is not necessary to keep the salt secret.
I would recommend, that if you want to improve your password hash system anyway, you do it right, with a hash function that is slow. The article password hashes with bcrypt explains the important points of generating a hash for passwords.
Last but not least, don't be afraid of doing it correctly, the code of your application can be as easy as your current implementation with MD5.
Forget MD5 or SHA. Use Bcrypt. (Blow Fish Crypt) Comes native with PHP 5.3 and above. (crypt method 2a) it is more secure and processes slower.
When using Bcrypt the salt is stored together with the hash in the same feild . There is no reason for a seperate one.
http://php.net/manual/en/function.crypt.php
Just reading on another post and someone says the salt is not a secret and can be stored a database column. So that answers my question
链接地址: http://www.djcxy.com/p/21842.html上一篇: 盐和密码
下一篇: 密码盐存储