Should I prefer hash algorithms with longer outputs for storing passwords?_问答_开发者

Should I prefer hash algorithms with longer outputs for storing passwords?

开发者 https://www.devze.com 2023-04-04 12:49 出处：网络

I\'m building a site where security is somewhat important (then again, when is it not important?) and I was looking for the best way to store my passwords. I know that MD5 has issues with collisions a

I'm building a site where security is somewhat important (then again, when is it not important?) and I was looking for the best way to store my passwords. I know that MD5 has issues with collisions as well as SHA-1, so I was looking into storing my passwords via either SHA-256 or SHA-512.

Is it wiser to store a longer hash variant as opposed to a smaller one? (ie 512 vs 256) Does it take significantly more time to crack a SHA-512 encoded password versus a SHA-256 encoded password?

Also, I've read about using "salts" for the passwords. What is this and how does it work? Do I simply store the salt value in another database field? How do I use that a开发者_运维问答s a part of the hash value calculation?

For password storage, you need more than a mere hash function; you need:

an extremely slow hash function (so that brute force attacks are more difficult)
and a salt: a publicly known value, stored along the hash, distinct for each hash password, and entering in the password hashing process. The salt prevents an attacker from efficiently attacking several passwords (e.g. using precomputed hash tables).

So you need bcrypt.

For the point of the hash output size: if that size is n bits, then n shall be such that an attacker cannot realistically compute the hash function 2ⁿ times; 80 bits are quite enough for that. An output of 128 bits is thus already overkill. You still would not want to use MD5, because it is way too fast (100000 nested invocations of MD5 might be slow enough, though) and because some structural weaknesses have been found in MD5, which do not directly impact its security for hashing passwords, but are bad public relations nonetheless. Anyway, you should use bcrypt, not a homemade structure.

Some of the answers here are giving you dubious advice. I recommend you to head over to the IT Security Stack Exchange and search on "password hashing". You will find lots of advice, and much of it has been carefully vetted by folks on the security stack exchange. Or, you could just listen to @Thomas Pornin, who knows what he is talking about.

Collisions are not relevant in your scenario, so MD5's weaknesses are not relevant. However, the most important thing is to use a hash that takes a long time to compute. Read http://codahale.com/how-to-safely-store-a-password/ and http://www.jasypt.org/howtoencryptuserpasswords.html (even if you're not using Java the techniques are still valid).

I would stay away from MD5 in any case, since there are other hashes that perform just as well.