salt

问题 I'm trying to generate a salt in Java to use with a hashing algorithm for secure password storage. I'm using the following code to create the random salt: private static String getSalt() throws NoSuchAlgorithmException { SecureRandom sr = SecureRandom.getInstance("SHA1PRNG"); byte[] salt = new byte[16]; sr.nextBytes(salt); System.out.println(salt.toString()); return salt.toString(); } Which should generate a completely secure, randomly generated salt to use in my hashing algorithm. When I run

问题 I'm using coldfusion and I would like to generate a random salt field for my passwords. I was wondering if a CreateUUID() function is useful here. I found many examples which use a seperate function to create the salt string; but why do this when you could use rand() or CreateUUID() functions instead? I'm not sure. Is it an overkill or a good idea? Or should I use rand() or a timestamp instead? 回答1: This is not a good idea - CreateUUID guarantees uniqueness , not randomness ; if you did a

问题 Basically, what I'm asking is if salting a password by appending a hashed version of it to the end of it is just as secure as salting with a different string. So: Is this: $pass = "pass"; $salt = sha1(md5($pass)); $pass = md5($pass.$salt); As secure as this? $pass = "pass"; $salt = "4D9ds*^dkrUI45^#dkd*3fD8&!dlvd*"; $pass = md5($pass.$salt); 回答1: The first example is as secure as hashing without using any salt at all, because it still just requires the password and nothing more to crack. In

问题 I am relatively new to php, and just beginning to grasp the point of salt when it comes to hashing passwords (I think?). Anyways, here's my problem... Right now I have a mysql database with a username, password, salt field. The password field length is 64 chars, the salt field is 3 chars. Upon registry, each username is assigned a random salt. I am not having any issues with this (I believe). First, the user's desired password is hashed via: $hashedinput = hash ('sha256', $input); The user's

问题 This question already has answers here : Closed 8 years ago . Possible Duplicate: What is the purpose of salt? I've just been reading up a bit about the use of salts, and the example I've been reading gives that of adding a salt to a password before hashing to protect against a dictionary attack. However I don't really see how that helps - if the attacker has access to the hash of the password (as they do in the example I've been reading) they most likely they will also have access to the

问题 This is the second component of the legacy system translation we’ve been trying to do. We have managed to match exactly the initial binary password/key that Windows ::CryptHashData generates. That password/key is passed to ::CryptDeriveKey where it performs a number of steps to create the final key to be used by ::CryptEncrypt. My research has led me to the CryptDeriveKey documentation where it clearly describes the steps required to derive the key for ::CryptEncrypt but so far I haven’t been

问题 Does saltstack have an equivalent to puppets versioncmp() function? Or alternatively, is there a way to get the distutils.version or packaging.version.parse methods (as mentioned on Compare version strings in Python) available in a jinja+yaml rendered sls file? 回答1: you can use the module pkg.version_cmp : # salt-call pkg.version_cmp '1.0.2' '1.1.1' local: -1 # salt-call pkg.version_cmp '0.2.4.1-0ubuntu1' '0.2.4-0ubuntu1' local: 1 Inside jinja you can use it in a way similar to: {% if salt[

问题 Like most programmers, I am not an expert on cryptography but I understand the basics. However, a little knowledge can be a dangerous thing, as noted in Jeff's blog post. With that in mind, I understand the purpose of a salt value but I need a little help understanding how to use salt values. I've read in the other posts on this subject that it is best to use a random salt value for each password to be encrypted. If this is the case, how do I reproduce that random salt value when I attempt to

问题 I am attempting to use the Shiro JdbcRealm and SHA256 hashedcredentialsMatcher. I need to update a legacy database and assign the appropriate salt for each user (via a batch routine). how do I get/set the salt for a given account using the Shiro framework? 回答1: With Shiro 1.2.3 all you need to do is: Extend JdbcRealm and set salt style. public class JdbcSaltRealm extends JdbcRealm { public JdbcSaltRealm() { setSaltStyle(SaltStyle.COLUMN); } } Update shiro.ini to use extended realm and to get

问题 Code: echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-characters'] ); Result: Warning: password_hash(): Provided salt is too short: 21 expecting 22 code: echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-charactersA'] ); Result: $2y$10$dHdlbnR5LW9uZS1jaGFyYOVyX13hK9eb4/KXMAkHsAJX..YR7t/32 code: echo password_hash("stackoverflow", PASSWORD_DEFAULT, ['salt' => 'twenty-one-charactersB'] ); $2y$10$dHdlbnR5LW9uZS1jaGFyYOVyX13hK9eb4/KXMAkHsAJX