我一直在寻找创建密码盐的首选位置。
对我来说,在数据库级别创建密码 salt 并在数据库级别对输入的密码 + salt 进行哈希处理是有意义的。
但由于我是登录安全性的超级菜鸟,我想知道哪个位置最适合创建盐本身。
根据我的阅读,我创建了一个存储过程,该过程采用userloginandpassword并比较存储的盐连接以验证输入的密码是否正确。
我现在需要知道的是,应该在哪里在新用户帐户上创建密码盐?
如果用户忘记了,我的意图是有一个不可退还的密码。如果他们忘记了,它会给他们一个临时的,然后需要改变。同样,如果密码更改,我也想相应地更改盐。
我没有完全安全的幻想,只想减少机会。
The place to generate the salt and to hash the password, should be in the code, not in the database.
To hash passwords you need a slow key-derivation function like BCrypt or PBKDF2, but most databases have no implementations of such functions. These functions have a cost factor, which controls the necessary time to calculate the hash-value (the longer the more secure against brute-forcing). The salt as well as the cost factor is usually stored in the same string as the password-hash, so you need only a single field to store the hash.
To verify the password, you first have to search with the username for the password-hash, then the function can extract the used salt and the cost factor, and finally the entered password can be hashed with the same parameters for comparison.
There is another reason to do it in the code, password-systems have to switch to stronger algorithms or have to increase the cost factor in future, then it is much easier to handle backwards compatibility in code, as with SQL statements.