salt

问题 I am developing a site in php 5.4 and i was wondering which is better to use to gen a random salt for password security? $salt = sha1(openssl_random_pseudo_bytes(23)); or $seed = ''; $a = @fopen('/dev/urandom','rb'); $seed .= @fread($a,23); $salt = sha1(seed); or should i just go with: $salt = openssl_random_pseudo_bytes(40); or $salt = ''; $a = @fopen('/dev/urandom','rb'); $salt .= @fread($a,23); 回答1: For security purposes you are better off using openssl_random_pseudo_bytes . OpenSSL takes

问题 I just read an article. And it's said: So I’m not saying salts are without purpose, I’m saying that they don’t prevent dictionary or brute force attacks (which they don’t). If you have a database dump, with hashed passwords and salts, you can start brute force only if you know crypt algorithm. If you use open source, it can be a problem. But if you change algorithm a little, it's not a problem, until somebody know it. Am I right? 回答1: Troy Hunt recently wrote an excellent article, Our

问题 My Question: What is the Best Approach to Ensure Data Security of Small Data? Below I present a concern around symmetric and asymmetric encryption. I'm curious if there is a way to do asymmetric encryption on small data with an equivalent of some sort of "salting" to actually make it secure? If so, how do you pick a "salt" and implement it properly? Or is there a better way to handle this? Explanation of My Concern: When encrypting something that has "bulk" it seems to me that asymmetric

问题 On crackstation.net it is stated: To Validate a Password Retrieve the user's salt and hash from the database. Prepend the salt to the given password and hash it using the same hash function. Compare the hash of the given password with the hash from the database. If they match, the password is correct. Otherwise, the password is incorrect. However in the source code listed at the bottom of the page, I can't figure out how the validate_password function takes into account the salt. I mean where

问题 From what I understand from salting to make an encrypted password more secure, I would generate a random number (the salt) and store it along side the hashed password, in the user record (for example.) I would concatenate the salt with the plaintext password and then encrypt it (hash). The resulting hash would be much more difficult to crack. This process would be repeated to verify the password. Looking at has_secure_password and bcrypt_ruby (disclosure: I am not a security expert) I don't

问题 What method would you call safest and most secure? I took these snippets off php.net. I'm just wondering because people posted their own and I just couldn't catch on to understand why some are the way they are... Can someone help me out and tell me a little more about these? Which would be the most secure and why? 1. <?php $hash = md5($salt1.$password.$salt2); ?> 2. <?php function eliteEncrypt($string) { // Create a salt $salt = md5($string."%*4!#$;\.k~'(_@"); // Hash the string $string = md5

问题 I am having an issue getting the password being stored on in mysql to match the Login password using salt. Here is the code from my password creation: $hash = hash('sha256', $password); function createSalt() { $text = md5(uniqid(rand(), true)); return substr($text, 0, 3); } $salt = createSalt(); $password = hash('sha256', $salt . $hash); Here is the code in my login page: $userData = $result->fetch_array(MYSQL_ASSOC); $hash = hash('sha256', $password); $password = hash('sha256', $userData[

问题 I have the below code to show all data from a MySQL database in a HTMl database: <?php $result = mysqli_query($con,"SELECT * FROM Persons"); echo "<table border='1'>"; $i = 0; while($row = $result->fetch_assoc()) { if ($i == 0) { $i++; echo "<tr>"; foreach ($row as $key => $value) { echo "<th>" . $key . "</th>"; } echo "</tr>"; } echo "<tr>"; foreach ($row as $value) { echo "<td>" . $value . "</td>"; } echo "</tr>"; } echo "</table>"; mysqli_close($con); ?> This code works fine and the data

问题 I read this tutorial about encryption in .NET it uses Rfc2898DeriveBytes to create a random key to be used by symmetric algorithm . but it doesn't save the key . and later in decryption method it supplies the same password and salt and decrypts the text . does it mean supplying the same salt and password to Rfc2898DeriveBytes could derived the same key ? no need to save the key and just save salt and password ? 回答1: Yes, that is correct. Identical inputs to Rfc2898DeriveBytes provide

问题 What if my server gets hacked and the hacker views my hashed passwords and can see what salt I was using. Is it something to worry about? 回答1: Yes it is. Now hacker can bruteforce them (if he knows how actually you salted the passwords). Nothing more to worry - since you're using the salted passwords more intelligent attacks (other than bruteforce) cannot be applied. 回答2: It is not supposed to be a problem. The idea with salt values is that it prevents a rainbow attack (using precomputed