您如何在 MySQL 中安全地存储用户的密码和盐?-数据库问题

How do you securely store a user#39;s password and salt in MySQL?(您如何在 MySQL 中安全地存储用户的密码和盐?)

本文介绍了您如何在 MySQL 中安全地存储用户的密码和盐?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

所以，我在 SO 上发现您应该将密码与盐"一起散列.(文章可以在这里和这里.)

So, I found out on SO that you're supposed to hash the password together with a "salt". (The articles can be found here and here.)

代码如下:

$password = 'fish';

/* should be "unique" for every user? */
$salt= "QUJDMDk=";

$site_key = 'static_site_key';

hash_hmac('sha1', $password . $salt, $site_key);

现在我需要在 MySQL 中同时保存 $password 和 $salt，如下所示:

And now I need to save both the $password and $salt in MySQL, like so:

+---------+--------+----------+-------+
| user_id |  name  | password |  salt |
+---------+--------+----------+-------+
|    1    | krysis |  fish**  | ABC09 |
+---------+--------+----------+-------+

** fish 当然会被散列而不是以纯文本形式存储.

** fish will of course be hashed and not stored in plain text.

而且我只是想知道这样做是否真的有意义，因为这样是黑客或任何也知道盐的人?那么，如果他们破解密码并且看到它是 fishABC09 他们会自动知道密码是 fish?或者他可能永远"无法破解密码，因为他不知道 secret_key，因为它没有存储在数据库中?

And I'm just wondering whether or not it actually makes sense to do it this way, because this way a hacker or whoever will also know the salt? So, if they crack the password and the see it's fishABC09 they automatically will know the password is fish? Or might he "never" be able to crack the password because he doesn't know the secret_key, as it isn't stored in the database?

如果我没有任何意义，我很抱歉.我只是一直使用 sha1 作为密码，今天我发现这些文章谈到了添加 salt.

I'm sorry if I'm not making any sense. I just always used sha1 for passwords, and today I found these articles that talked about adding a salt.