Answer the question
In order to leave comments, you need to log in
Answer the question
In order to leave comments, you need to log in
The other day a translated article was published. Just about the use of salt.
If you are paranoid, then it is better not to store salt, but to calculate it based on relatively available data. Take, for example, the SKU of the user's first purchase, add the amount of the item, add a common constant salt, and wrap it all in MD5. If there were no purchases, then the first product viewed (think for yourself). If you have data on money stored in another database, it will turn out quite stable.
You can generate a salt and a new hash based on the latest entry in the microblog or the login of the attached manager. fantasize.
The main thing is to limit the ability of an attacker to access this data when the system is partially compromised. For example, he has a table with logins and a hash, he has access to the site content, but he could not get the billing database. Or there is no access to the file system, and you are stuck on the avatar settings. It will be more difficult.
The first thing that came to mind:
hashed_password = sha1(md5(password)+password)
I will quote comrade varnar:
чтобы перебор не помог нало использовать bcrypt и солить его SHA-512 в несколько итераций, чтобы генерирование нужного хеша занимало, ну, например полсекунды.
Пароли надо ШИФРОВАТЬ а не хешировать, хэширование рассчитано на быстрое вычисление хэша, а нам как раз этого и не надо.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question