md5($password.md5($password))
这对口号的 has弄是否好? 我并不要求将这一点与像加密这样的东西相比较。
如果情况不可靠,我就告诉我为什么。
每一用户口号使用不同的盐类的原因是,攻击者可以拿到所有破旧的口号清单,看看看其中任何一种口号是否与“密码”或“12345”等容易混淆。 如果你将密码本身用作盐类,那么攻击者可计算<代码>md5("12345'md5(“12345”),并看其是否与任何条目相符。
根据我的理解,在密码表中可使用四级洗 has器:
详情请见Coding Horror员额,“。
Although it seems quite enough to me, it will be in danger in case if someone precomputed a rainbow table based on the same algorithm (what is quite possible). So, I d rather use an email for the salt which seems pretty secure yet usable. Paranoids may add some constant site-wide salt.
人们往往过多地去掉口食盐(理论上),而在应用中,他们允许简单密码,并在简单案文中将其转移至实际上不安全的吉大港山区。
Every freakin day I see questions regarding salt or hash.
And not a single one regarding password complexity. While
为什么? 让我向你表示。
极好的盐加弱的密码 = 秒钟()。
It is always assumed that salt is known to attacker. So, by using some dictionary of most used passwords and adding [whatever extra-random-super-long] salt to them, a weak password can be discovered in seconds. Same goes for brute-forcing short passwords.
just sensible Salt + Robword = unbreakable
某些独特的盐类使 pre食表变得无用和好的口号,使dict和二恶英的攻击毫无结果。
它对口腔攻击没有多大作用,只有两倍难以计算出字典和单一<代码>md5<>/code>,而<代码>md5<>>则这些天基本便宜。
计量吸入器5本身并不可靠,因为它部分被打碎(col),太小。 如果有人不想在加密、加密或PBK2DF上使用适当的密码衍生功能,那么你至少应当使用SHA-256新设计(计划一旦完成,将计划转移到SHA-3,这样可以肯定地储存你用来将密码与结果混在一起的计划,那么这两种办法就能够共存,因为当人们改变口号时,你可以使用新的散装程序。
如果你打算以任何身份出售MD5方案,就可以成为大多数政府销售的显示器(例如,美国计算法中所用的FPS 140-2必须获得批准,而且许多其他国家也满足同样的要求)。
随机密码盐之所以被推荐用于洗衣口,是因为知道密码的攻击者可以将其与以下网址进行比较:http://en.wikipedia.org/wiki/Rainbow_table”rel=“nofollow”>rainbow table, 事先计算出的口 ha。
If you re using password as salt, attacker can pre-calculate hashes of $word.md5($word) first from their dictionary
有了你的解决办法,你就大打败了用盐对付预谋的独裁袭击的目的。
有了预先判断的字典,正如名称所暗示的那样,有人已经为特定词预先设定了一张海螺表(计算结果:<代码>md5<>>>>)。
审议本表<编码> (带有想象力的斜体,仅供参考)
word | hash
------------
foo | 54a64
bar | 3dhc5
baz | efef3
Testing these values against your table, could be as simple as:
SELECT h.word
FROM hashtable h, yourtable y
WHERE y.password = MD5( CONCAT( h.word, h.hash ) );
顺便说一句,你有密码。
However, if you did NOT hash the password, before concatenating it again with the password and hashing it once more, it would be more difficult to attack it with a pre-computed dictionary. Because then the password would be for instance md5( testtest ) which makes the precomputed table worthless, if the precomputed table has only taken into account single instances of the word.
如果你不使用口号作为盐类,而是使用另一种随机体格作为盐类,那么你就很容易看到它变得更加困难。 而且,当你为每个口号创造独特的盐类时,它变得更加困难。 当然,如果你每口打上独一无二的盐类,你就必须在单列一栏中节省食盐量,同时在数据库中添加密码。
因此,我的建议是:
md5( uniquesalt . password );
或者实际上,不使用<代码>md5,而是使用最完善的<代码>sha1,sha256(或更高)洗 algorithm算法。
I am trying to write a script to prevent brute-force login attempts in a website I m building. The logic goes something like this: User sends login information. Check if username and password is ...
<?php $con=mysql_connect("localhost","mts","mts"); if(!con) { die( unable to connect . mysql_error()); } mysql_select_db("mts",$con); /* date_default_timezone_set ("Asia/Calcutta"); $date = ...
I found this script online that creates a thumbnail out of a image but the thumbnail image is created with poor quality how can I improve the quality of the image. And is there a better way to create ...
如何确认来自正确来源的数字。
Most sites need some way to show the dates on the site in the users preferred timezone. Below are two lists that I found and then one method using the built in PHP DateTime class in PHP 5. I need ...
I wonder there is a way to post a message to a facebook business page with cURL? thanks
I want to create text as a watermark for an image. the water mark should have the following properties front: Impact color: white opacity: 31% Font style: regular, bold Bevel and Emboss size: 30 ...
How does php cast boolean variables? I was trying to save a boolean value to an array: $result["Users"]["is_login"] = true; but when I use debug the is_login value is blank. and when I do ...