我的 mysql 数据库中有一个包含密码列的用户表.目前，我使用 MD5 算法对用户密码进行哈希处理以存储在数据库中.现在我喜欢认为我是一个有安全意识的人.我在阅读 MySQL 文档时注意到他们不推荐 MD5 或 SHA/SHA1 散列方法，但不提供替代方法.

I have a user table in my mysql database that has a password column. Currently, I use the MD5 algorithm to hash the users' password for storage in the database. Now I like to think that I am a security conscience person. I noticed while reading the MySQL docs that they don't recommend MD5 or the SHA/SHA1 hashing methods, but don't offer an alternative.

在 MySQL 中散列密码的最佳方法是什么?在我当前的实现中，PHP 和 MySQL 原生支持的函数将是理想且必要的.

What would be the best way to hash my passwords in MySQL? A function that is natively supported in both PHP and MySQL would be ideal and necessary with my current implementation.

谢谢！

推荐答案

不一定你不应该使用 MD5，而是你不应该使用只是 MD5，因为这就离开了您容易受到彩虹表攻击(彩虹表是预先计算的哈希值的表 - 如果您的密码非常常见或简单，攻击者只需查找哈希值，他就知道您的明文密码.)

It's not necessarily that you shouldn't use MD5, as much it's that you shouldn't use just MD5, as this leaves you vulnerable to rainbow-table attacks (a rainbow table is a table of precomputed hash values - if your password is even remotely common or simple, the attacker needs merely to look up the hash and he knows your plaintext password.)

至少你应该为每个密码添加一个盐，这样任何现有的彩虹表都无用，迫使攻击者为你的密码数据库生成一个全新的彩虹表.

At the very least you should add a salt to every password so that any existing rainbow table is useless, forcing the attacker to generate an entire new rainbow table just for your database of passwords.

更好的办法是为数据库中的每个密码使用不同的盐，比如与之关联的用户名，这样攻击者甚至无法为您的整个数据库生成彩虹表，并且必须单独破解每个条目.

Better still is to use a different salt for every password in your database, say the username it's associated with, so that an attacker can't even generate a rainbow table for your whole database and has to crack each entry separately.

MD5 也是一种非常快速的算法.速度是破解的敌人——生成哈希所需的时间越长，黑客每次尝试所需的时间就越长.对于登录到您的网站的用户来说，像每次使用新的额外盐对纯文本进行 100 次散列处理这样简单的操作几乎无法察觉(如果有的话)，但它会增加暴力破解密码所需的时间.100 次.

MD5 is also a very fast algorithm. Speed is the enemy when it comes to cracking - the longer it takes to generate a hash, the longer it takes for each attempt a hacker makes. Something simple like hashing the plaintext 100 times with a new additional salt each time would be barely perceptible (if at all) to a user logging in to your site, but it would increase the time it takes to brute-force a password by the same 100 times.

这里有更多详细信息:http://www.codinghorror.com/blog/archives/000953.html