开发者

What is "salt" when relating to MYSQL sha1?

开发者 https://www.devze.com 2023-01-28 15:55 出处:网络
What i开发者_如何学JAVAs \"salt\" when relating to MYSQL sha1? I have no idea what salt is when relating to sha1 password encryptions? Can someone please explain what it is?A salt is a value that is a

What i开发者_如何学JAVAs "salt" when relating to MYSQL sha1? I have no idea what salt is when relating to sha1 password encryptions? Can someone please explain what it is?


A salt is a value that is added to a password (or other secret) which you want to hash one way. This means it could be before, after, or somewhere inside the password, as long as its position and value is consistent for a given supplied password.

What this does is it mitigates dictionary attacks - basically dictionaries of common passwords pre-hashed with no salt - from being used to "guess" a one way password as long as the attacker does not know the hash. If every password has a different hash then it makes it very difficult for an attacker to create a dictionary optimized for cracking your passwords (they would need a dictionary for each separate salt and they would also need to know where the salt was placed in each password).

Of course for all of this to be applicable an attacker must have the hashes of your passwords in the first place. This has nothing to do with attacking passwords by guessing them through some input prompt.

Regarding MySQL specifically if you provide a salt when hashing a password, make sure you record what that salt was somewhere. Then when a user attempts authentication you combine that recorded salt value with the password (during the call to crypt for example) and if the resulting hash matches then they have entered the correct password. (Note that at no time is the hashing of a password reversed; thus one way.)


salt is nothing but an string you attach to the password, either as a constant or through a algorithm

which makes it harder for anyone who breached your security and gain access to your stored password, which in return makes in next to impossible for him to use rainbow dictionaries to unlock what the real password is, which in a hacker point of view can be usefull since alot of people use the same password in alot of diffrent sites

$salt = "this is a salt";
$password = 'this is an password';
$hash = sha1($salt.$password);

That's how you basically could salt a password


A salt is appended to the plaintext (or vice versa) before hashing in order to make dictionary lookups more expensive.

0

精彩评论

暂无评论...
验证码 换一张
取 消