salt

问题 I must confess to being largely ignorant on most of the high-tech security issues relevant for web applications, but there is one thing I at least thought I could ask because it is a direct question with (hopefully) a concrete answer. Take this website: http://www.15seconds.com/issue/000217.htm It shows a bit down that they store the salt value in the table, I understand the principles and the math behind using a salt, but I'm wondering this: Why did they not just use the username as a salt

问题 I must confess to being largely ignorant on most of the high-tech security issues relevant for web applications, but there is one thing I at least thought I could ask because it is a direct question with (hopefully) a concrete answer. Take this website: http://www.15seconds.com/issue/000217.htm It shows a bit down that they store the salt value in the table, I understand the principles and the math behind using a salt, but I'm wondering this: Why did they not just use the username as a salt

问题 Below is my encryption logic. Although my IV is 16bytes long, I still get an error with invalid IV length. Would appreciate any help @Override public String encrypt(String dataToEncrypt, String IV) throws Exception{ if(encryptionKey.length() < 10){ encryptionKey = generateEncryptionKey().toString(); } System.out.println("number of IV bytes is "+IV.length()+" "+IV); Cipher cipher = Cipher.getInstance(encrpytionAlgo); SecretKey key = new SecretKeySpec(encryptionKey.getBytes(Charset.forName("UTF

问题 What's the best way to produce a SALT value in Java as a String that's at least 32 bytes long? 回答1: final Random r = new SecureRandom(); byte[] salt = new byte[32]; r.nextBytes(salt); /** String encodedSalt = Base64.encodeBase64String(salt); */ 回答2: In SpringSecurity you can use org.springframework.security.crypto.keygen.KeyGenerators http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/crypto/keygen/KeyGenerators.html http://docs.spring.io

问题 What are the key differences between these two approaches to generate sequential-but-somewhat-unique numbers? I want to use such a number as a unique user ID inside a MySQL db, and also as a salt to salt a password. My understanding is that for clustering and indexing reasons those IDs should be sequential (I realize that in some cases the random string will make two entries that occurred in the same microsecond non sequential, but hopefully this is negligible.) 回答1: (scratch this, wrong info

问题 A salt makes every users password hash unique, and adding a salt to a password before hashing to protect against a dictionary attack. But how? 回答1: The tool you almost certainly want is called PBKDF2 (Password-Based Key Derivation Function 2). It's widely available, either under the name "pbkdf2" or "RFC 2898". PBKDF2 provides both salting (making two otherwise identical passwords different) and stretching (making it expensive to guess passwords). Whatever system you are developing for

问题 What's the best way to generate a cryptographically secure 32 bytes salt in PHP, without depending on libraries seldom included in typical PHP installations? After some googling I discovered that mt_rand is not considered secure enough, but I haven't found a suggestion for a replacement. One article suggested reading from /dev/random but not only this won't work on windows; it is also very slow. I want a reasonable balance between security and speed (ie, it shouldn't take 20 seconds to

问题 This is my first attempt in securely storing passwords and I would like to make sure that everything is done correctly. I was advised to use SHA-256 hashing alongside salt. Assuming user submitted their password thorough form, we get the password via $password = $_POST["password"]; What is correct way to salt $password and use SHA-256 hashing on it, so it can than be stored in a password field "password CHAR(64)" in a database? Once done and stored how would I than compare value stored in a

问题 I'm reading so much conflicting advice as to how to store passwords securely. All I know for sure is not to use MD5! I've seen people advocate using PHP's bcrypt function, which seems like it'd hog the server's processor. I've seen advocates for salts, and advocates for not using salts. It's all just so unclear. Is there real and credible advice as to how to store passwords securely? Edit: After a fair amount of research, I found an article from ;login: that deals with the topic in quite some

问题 I need two functions/methods, one to encode, one to decode. This is not for storing passwords . Each user will have a specific key/salt to encode the data. This is how I would like it to work: function encode($str, $key) { // something fancy } function decode($str, $key) { // something fancy } $key = $logged_in_user->get_key(); $plain = 'abc abc 123 123'; $encoded_data = encode($plain, $key); // some_fancy_encrypted_data_that_is_really_cooooool $decoded_data = decode($encoded_data, $key); //