我正在阅读很多关于如何安全存储密码的相互矛盾的建议.我所知道的肯定是不要使用 MD5！我见过有人提倡使用 PHP 的 bcrypt 函数，这似乎会占用服务器的处理器.我见过提倡盐的人，也见过不使用盐的人.

I'm reading so much conflicting advice as to how to store passwords securely. All I know for sure is not to use MD5! I've seen people advocate using PHP's bcrypt function, which seems like it'd hog the server's processor. I've seen advocates for salts, and advocates for not using salts.

这一切都太不清楚了.是否有关于如何安全存储密码的真实可信的建议?

It's all just so unclear. Is there real and credible advice as to how to store passwords securely?

经过大量研究，我发现了一篇来自 ;login: 的文章，该文章相当深入地处理了该主题:http://www.usenix.org/publications/login/2004-06/pdfs/alexander.pdf

After a fair amount of research, I found an article from ;login: that deals with the topic in quite some depth: http://www.usenix.org/publications/login/2004-06/pdfs/alexander.pdf

推荐答案

嗯，这有几个部分.

首先，您需要尽量避免访问您的数据库和密码，并确保它们的安全.这包括不使您的密码明文并且不使用对称加密算法.您需要使用 salt.这样做可以防止人们使用预先计算的查找表(即彩虹表)或类似 http://md5.rednoize.com/的东西.为您的盐选择一些独特和不可预测的数据.我通常使用随机的 32 位值，但我不会少用.有些算法比其他算法更强大.这是通过几种方式定义的 You need to try to make it difficult to get to your db and passwords in the first place, keep them secure. This includes not making your passwords cleartext and not using a symmetric encryption algorithm. You need to use a salt. Doing this prevents people from using a precomputed lookup table (i.e. rainbow table) or something like http://md5.rednoize.com/. Pick some data for your salt that is both unique and unpredictable. I usually use a random 32 bit value, but I wouldn't go much less. Some algorithms are stronger than others. This is defined in a couple ways 计算速度有多快.越长越好.攻击者计算哈希的速度越快，暴力攻击的可能性就越大.如果算法没有减少搜索空间的已知弱点.例如，md5 哈希中的位数具有误导性，因为存在 已知攻击减少实际搜索空间 How fast it can be computed. Longer is better. The faster the attacker can calculate hashes, the better the odds are for a bruteforce attack. If the algorithm has no known weakness which reduce the search space. For example, the number of bits in an md5 hash is misleading because there are known attacks that reduce the actual search space

截至今天，我认为带有盐的 SHA1 或 SHA2 对于不远的将来.有一个名为 bcrypt 的实用程序，它使用河豚的不对称变体，并内置了盐和计算费用的概念-，也许值得一试.

As of today I think SHA1 or SHA2 with a salt is reasonably secure for the near future. There is a utility called bcrypt which uses an asymmetric variant of blowfish and has the concepts of salt and computational expense built-in, it might be worth checking out.

我想澄清什么是盐，因为在 SO 和在线上存在很多对它的误解.

I wanted to clarify what a salt is, as there is a lot of misconception about it on SO and online.

一个秘密，预先商定的字符串，你用密码散列.这是密钥，不是盐.

A secret, pre-agreed upon string that you hash with the password. This is a secret key, not a salt.

您在散列时将盐(每个散列唯一且不可预测)与您的密码一起包括在内，但您还包括它的未加密副本在散列之外，所以在稍后验证哈希时，您可以在对哈希之前给出测试密码时包含相同的盐，这样您就可以正确比较哈希.

You include the salt (unique and unpredictable per hash) along with your password when hashing, but you also include a unencrypted copy of it outside of your hash, so that when verifying the hash later you are able to include the same salt when given a test password before hashing it so you can properly compare the hash.