salt

问题 I\'ve always used a proper per-entry salt string when hashing passwords for database storage. For my needs, storing the salt in the DB next to the hashed password has always worked fine. However, some people recommend that the salt be stored separately from the database. Their argument is that if the database is compromised, an attacker can still build a rainbow table taking a particular salt string into account in order to crack one account at a time. If this account has admin privileges,

问题 I was just going through one of DavidHayden\'s articles on Hashing User Passwords. Really I can\'t get what he is trying to achieve. Here is his code: private static string CreateSalt(int size) { //Generate a cryptographic random number. RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); byte[] buff = new byte[size]; rng.GetBytes(buff); // Return a Base64 string representation of the random number. return Convert.ToBase64String(buff); } private static string CreatePasswordHash

问题 This is my first trial for implementing a member site with salted passwords which are all stored in the DB (MySQL). Everything works except for the error in the \'login for members\' page. The Error: Member login page accepts any entry to the membership site and for some reason passes my check for $result === false This is the code for checking if member exists, please let me know what the problem is: $servername = \'localhost\'; $username = \'root\'; $pwd = \'\'; $dbname = \'lp001\';

问题 I\'m having some trouble understanding the purpose of a salt to a password. It\'s my understanding that the primary use is to hamper a rainbow table attack. However, the methods I\'ve seen to implement this don\'t seem to really make the problem harder. I\'ve seen many tutorials suggesting that the salt be used as the following: $hash = md5($salt.$password) The reasoning being that the hash now maps not to the original password, but a combination of the password and the salt. But say $salt

问题 Recently I have been trying to implement my own security on a log in script I stumbled upon on the internet. After struggling of trying to learn how to make my own script to generate a salt for each user, I stumbled upon password_hash. From what I understand (based off of the reading on this page: http://php.net/manual/en/faq.passwords.php), salt is already generated in the row when you use password_hash. Is this true? Another question I had was, wouldn\'t it be smart to have 2 salts? One

问题 As I understand it, the best practice for generating salts is to use some cryptic formula (or even magic constant) stored in your source code. I\'m working on a project that we plan on releasing as open source, but the problem is that with the source comes the secret formula for generating salts, and therefore the ability to run rainbow table attacks on our site. I figure that lots of people have contemplated this problem before me, and I\'m wondering what the best practice is. It seems to me

问题 How much more safe is this than plain MD5? I\'ve just started looking into password security. I\'m pretty new to PHP. $salt = \'csdnfgksdgojnmfnb\'; $password = md5($salt.$_POST[\'password\']); $result = mysql_query(\"SELECT id FROM users WHERE username = \'\".mysql_real_escape_string($_POST[\'username\']).\"\' AND password = \'$password\'\"); if (mysql_num_rows($result) < 1) { /* Access denied */ echo \"The username or password you entered is incorrect.\"; } else { $_SESSION[\'id\'] = mysql