问题
I am attempting to create my first login page as a learning exercise.
My plan was to pre hash the password using a salt of the username for example. Store that in a text file and then when when the user logs in i would hash the password using the same salt and compare the results to the text file.
I am a complete beginner with security etc so i dont know if this would be secure or not? What is the norm for small applications? if this method isnt recommended, what is a suitable simple alternative?
EDIT One possible solution if i can get it to work.
String unpwfield;
unpwfield = userId.getText()+passwordfield.getText();
if (BCrypt.checkpw(unpwfield, passwordhash))
System.out.println("It matches");
else
System.out.println(userId.getText()+passwordfield.getText());
回答1:
For password storage, you're going to want to use a slow hashing algorithm. Cryptographic hashes are too fast, and do not slow at attacker down in offline password guessing. For example, bcrypt is often the most suitable algorithm to use.
Bcrypt generates its own salts, so you do not need to worry about a secure way to generate these.
I would avoid using username as the salt. A salt is to avoid the same password ever being stored with the same byte representation if used multiple times.
The reasons are if the user reuses the same password, then it is immediately obvious to any attacker with visibility on the password hash data. Also, if your system is openly available, every instance of your application will have the hashes for the admin user stored in exactly the same way, meaning attackers will be able to pre-build rainbow tables with admin as the salt.
See the OWASP Cheat Sheet on Password Storage for further information and guidance.
来源:https://stackoverflow.com/questions/38821149/simple-username-and-password-validation-java