问题
I just read an article. And it's said:
So I’m not saying salts are without purpose, I’m saying that they don’t prevent dictionary or brute force attacks (which they don’t).
If you have a database dump, with hashed passwords and salts, you can start brute force only if you know crypt algorithm. If you use open source, it can be a problem. But if you change algorithm a little, it's not a problem, until somebody know it. Am I right?
回答1:
Troy Hunt recently wrote an excellent article, Our password hashing has no clothes, detailing the evolution of password hashing, including Salts.
Although Salts prevented direct comparisons with pre-hashed rainbow tables, his point is that hardware has improved to the point where applying the salt to an unhashed rainbow password and comparing salted hashes can now be done in a short time due to Moore's law.
As Trickfire states, using a proprietary hashing algorithm is security through obscurity. If the attacker has your database, he will also likely be able to get your app and disassemble it and obtain the algorithm.
回答2:
Security through obscurity
While it makes the problem of figuring out the password a little harder, relying on this technique is not suggested.
来源:https://stackoverflow.com/questions/11322691/can-salt-prevent-dictionary-or-brute-force-attacks