salt

问题 I want to implement a salt into my login system but am a bit confused on how this is supposed to work. I can't understand the logic behind it. I understand md5 is a one-way algorithm and all of the functions that I have come across seem to hash everything together. If this is the case, how does one get the password back out for comparison? My biggest question is, how is salting a users' password safer than just hashing the password? If a database was ever to be compromised, the hash along

问题 This question already has answers here : Closed 6 years ago . Possible Duplicate: What algorithm should I use to hash passwords into my database? I am new to this hashing on password. I read the hashing + salt make passwords really safe. But still confused which hashing algorithm should I use as there are many like. MD5CryptoServiceProvider SHA1Managed SHA256Managed etc. How can I decide which one is good for me or all are equal. Can I pick up anyone blindly? 回答1: MD5: In 1996, a flaw was

问题 I've read through many of the questions on SO about this, but many answers contradict each other or I don't understand. You should always store a password as a hash, never as plain text. But should you store the salt (unique for each user) next to the hashed password+salt in the database. This doesn't seem very clever to me as couldn't someone gain access to the database, look for says the account called Admin or whatever and then work out the password from that? 回答1: A lot of people are

问题 I am using WebMatrix and have built a website based on the "StarterSite". In this starter site you get a nice basic layout - including registration, login, forgot password pages etc... I've noticed that in the database that the "webpages_Membership" table has a column named "PasswordSalt". After creating a few new user accounts, this column always remains blank. So I'm assuming that no password salt (not even a default one) is in use. Obviously this is not the best practice, however I cannot

问题 I'm looking at some code that I have not written myself. The code tries to hash a password with SHA512 and uses just time() as the salt. Is time() too simple a salt for this or is this code safe? Thanks for the answers and comments. I will sum it up here for the new readers: salt should be different for each user, so if 2 users register at the same time, their salts won't be unique. This is a problem, but not a big one. but salt shouldn't be in any way related to the user, so time() is not a

问题 I have been searching around and I am still unsure of what a "salt" is and how to use/implement it. Sorry for the noobish question, I am self learning php. 回答1: I am definitely not an expert, but the really short answer is that "salting" a line of text means to stick a few extra characters on the end of it. You could salt "salt" with "abcdefg" to get "saltabcdefg". This might be useful if "salt" happens to be a password that you'd like to make more difficult to guess. Typically, the password

问题 Here is an algorithm in Java: public String getHash(String password, String salt) throws Exception { String input = password + salt; MessageDigest md = MessageDigest.getInstance(SHA-512); byte[] out = md.digest(input.getBytes()); return HexEncoder.toHex(out); } Assume the salt is known. I want to know the time to brute force for when the password is a dictionary word and also when it is not a dictionary word. 回答1: In your case, breaking the hash algorithm is equivalent to finding a collision

问题 I came across a discussion in which I learned that what I'd been doing wasn't in fact salting passwords but peppering them, and I've since begun doing both with a function like: hash_function($salt.hash_function($pepper.$password)) [multiple iterations] Ignoring the chosen hash algorithm (I want this to be a discussion of salts & peppers and not specific algorithms but I'm using a secure one), is this a secure option or should I be doing something different? For those unfamiliar with the

问题 I've always been curious... Which is better when salting a password for hashing: prefix, or postfix? Why? Or does it matter, so long as you salt? To explain: We all (hopefully) know by now that we should salt a password before we hash it for storage in the database [ Edit: So you can avoid things like what happened to Jeff Atwood recently]. Typically this is done by concatenating the salt with the password before passing it through the hashing algorithm. But the examples vary... Some examples

问题 I've always been curious... Which is better when salting a password for hashing: prefix, or postfix? Why? Or does it matter, so long as you salt? To explain: We all (hopefully) know by now that we should salt a password before we hash it for storage in the database [ Edit: So you can avoid things like what happened to Jeff Atwood recently]. Typically this is done by concatenating the salt with the password before passing it through the hashing algorithm. But the examples vary... Some examples