Say that I decide to sign up for an account an incredibly insecure password, ‘hi’. How does this become something stored in the database like this:
假设我决定为帐户注册一个非常不安全的密码“ hi ”。 它如何变成这样存储在数据库中的东西:
$2y$10$TmNKrCzcsgVeIS/DOdQ6JeyhZUePie/yaiBQHMrN0tk4THZhgHyW6
$2y$10$TmNKrCzcsgVeIS/DOdQ6JeyhZUePie/yaiBQHMrN0tk4THZhgHyW6
Passwords are sequences of characters that carry your wallet, personal information, and online history. There is a tremendous need for these to be secure, not only from the user standpoint but from the website’s, in order to be legally compliant and to ensure user trust.
密码是携带您的钱包,个人信息和在线历史记录的字符序列。 不仅从用户的角度而且从网站的角度出发,都迫切需要确保它们的安全性,以使其在法律上合规并确保用户的信任。
For many reasons, it’s dangerous to directly store the user’s password in the database. The most obvious is that if someone else were to gain access to the database, they would be able to see everyone’s password. Many websites also use cookies, or data stored in your browser that lasts even when you leave the site, to help auto-login on your next site visit. Leaving the raw-text password in a cookie leaves it accessible to the next computer user and to sites and programs that can read cross-site cookies.
由于许多原因,将用户密码直接存储在数据库中很危险。 最明显的是,如果其他人获得对数据库的访问权限,他们将能够看到每个人的密码。 许多网站还使用Cookie或存储在您的浏览器中的数据(即使您离开网站后仍然有效)来帮助您下次访问网站时自动登录。 将原始密码保留在Cookie中,则下一个计算机用户以及可以读取跨站点cookie的站点和程序都可以访问它。
A hash is used to convert a string into another representation of the string. This purpose of a hashing function is to create an encoded version of the password such that:
哈希用于将字符串转换为字符串的另一种表示形式。 散列函数的目的是创建密码的编码版本,使得:
Going from password-to-encoded (encoding) is easy (
hi_theretosjiu3s9*@slajsk).从密码到编码(编码)很容易(
hi_there到sjiu3s9*@slajsk)。Going from encoded-to-password (decoding) is impossible (or, at least, very very far from easy) (
sjiu3s9*@slajsktohi_there).从编码到密码(解码)是不可能的(或者至少非常不容易)(
sjiu3s9*@slajsk到hi_there)。
Hence, even if a hacker were to access our databases, they would not be able to convert sjiu3s9*@slajsk into the real entered password, hi_there. Hashing is a difficult idea, however, in that somehow information must only be able to flow in one direction.
因此,即使黑客要访问我们的数据库,他们也无法将sjiu3s9*@slajsk转换为实际输入的密码hi_there 。 但是,散列是一个困难的想法,因为在某种程度上,信息必须只能沿一个方向流动。
This is analogous to representing all of The Odyssey in five pages of text: the transformation is one-way, as it’s impossible to reconstruct The Odyssey from a five-page summary. Hence, an inherent part of hashing is the discarding of information. Because of this fact, sometimes vastly different inputted strings will have the same hash because the discarded information results in the same processed string, but by design the chance this possibility leads to some actual security threat is negligible.
这类似于用五页文本表示《奥德赛》的全部内容:转换是单向的,因为不可能从五页的摘要中重建《奥德赛》 。 因此,散列的固有部分是信息的丢弃。 由于这个事实,有时由于输入的信息导致相同的处理后的字符串而产生的差异很大,因此输入的字符串将具有相同的哈希值,但是通过设计这种可能性导致某种实际安全威胁的机会可以忽略不计。
Although there are many hashing functions, generally they follow a three step design. First, the password is broken into several components, which are passed into a compression function. This compression function is the part that squeezes out some information and condenses the components. Lastly, the output of the compression is encoded (represented) as a long string of characters, which can contain numbers, letters, and symbols.
尽管有许多哈希函数,但通常它们遵循三步设计。 首先,密码分为几个部分,这些部分传递给压缩功能。 此压缩功能是挤出一些信息并压缩组件的部分。 最后,压缩的输出被编码(表示)为一长串字符,其中可以包含数字,字母和符号。
Through the controlled loss of information — which can be represented mathematically through operations like rounding or modulo, hashing creates a one-way function to secure passwords. Hashing algorithms are designed such that even small changes in the input will drastically affect the end result (the hash for ‘fox123’ is nowhere similar to the hash for ‘fox122’).
通过控制信息丢失(可以通过舍入或取模等数学运算来表示信息),散列创建了一种单向函数来保护密码。 哈希算法的设计使得即使输入中的很小变化也将极大地影响最终结果(“ fox123”的哈希与“ fox122”的哈希完全不同)。
Then, instead of storing the raw password in the database, we store its hash. The next time a user logs in, we hash their input with the same algorithm and see if the hashes match. Since hashes will always yield the same result for the same inputs, we can be confident that the passwords are the same without ever storing the password in an open, vulnerable format.
然后,我们将原始密码存储在数据库中,而不是将原始密码存储在数据库中。 下次用户登录时,我们使用相同的算法对输入进行哈希处理,然后查看哈希是否匹配。 由于散列对于相同的输入始终会产生相同的结果,因此我们可以确信密码相同,而无需以开放的易受攻击的格式存储密码。
Hashing greatly increases database security, but it is still vulnerable to the classic try-and-see strategy of hacking. Although hashing has made it impossible to access the raw text password directly, as long as we know which hashing algorithm is being used — nothing a reasonably good hacker can’t access — we can try millions of inputs and store their hashes, then see if any of the hashes match the ones recorded. This is the practice of building rainbow tables.
散列极大地提高了数据库的安全性,但是它仍然容易受到经典的“尝试看看”黑客策略的攻击。 尽管散列使不可能直接访问原始文本密码,但是只要我们知道使用了哪种散列算法(没有什么是一个很好的黑客无法访问的),我们就可以尝试数百万个输入并存储其散列,然后查看是否任何哈希都与记录的哈希匹配。 这是构建彩虹表的做法。
Although it may seem much too manual, unfortunately people aren’t as good as creating passwords as you would hope, and many passwords are the same across accounts. Then, a hacker that has access to the database may spot a hash that is similar to the one recorded in their rainbow tables:
尽管看起来似乎太手工了,但是不幸的是,人们并不像您希望的那样创建密码,而且各个帐户中的许多密码是相同的。 然后,有权访问数据库的黑客可能会发现一个哈希,该哈希类似于其彩虹表中记录的哈希:
Noticing that id 4 has the same hash as id 6, and that the hashes recorded are identical to that of input ‘hi’ in the rainbow table, the hacker now has access to two accounts because they know that their passwords are ‘hi’. Although this method may seem like it‘s too laborious and inefficient, many hackers are constantly building rainbow tables:
注意到ID 4具有与ID 6相同的哈希,并且记录的哈希与彩虹表中输入的“ HI”相同,因此黑客现在可以访问两个帐户,因为他们知道自己的密码为“ HI”。 尽管此方法似乎过于费力且效率低下,但许多黑客仍在不断构建彩虹表:
- Efficient rainbow tables take into account the chance a password is a real password. For instance, ‘si*S&3ljksna’ is probably not a used password and not worth checking, but ‘my_Doggo_3_2020’ is. 高效的彩虹表考虑了密码是真实密码的可能性。 例如,“ si * S&3ljksna”可能不是已使用的密码,也不值得检查,而“ my_Doggo_3_2020”则不是。
- A standard computer alone can check hashes for almost 600,000 passwords per second. A GPU or 3D card can perform at three times that pace, not to mention specialized systems some hackers operate on. 仅一台标准计算机就可以每秒检查哈希值近600,000个密码。 GPU或3D卡的运行速度是该速度的三倍,更不用说某些黑客在其上运行的专用系统。
Reiterating on the point above: people suck at generating unique passwords. ‘123456’ is still used as a password by 23 million account holders, and undoubtedly there are many other common passwords. 59% of people use the same password everywhere, meaning that if a rainbow table manages to land on one account, the hacker has a good shot of successfully logging into another of your accounts on a different site.
重申以上几点:人们讨厌生成唯一的密码。 2300万帐户持有者仍使用“ 123456”作为密码,毫无疑问,还有许多其他常用密码。 59%的人在每个地方都使用相同的密码,这意味着,如果彩虹表设法登陆了一个帐户,那么黑客就可以成功登录到另一个站点上的另一个帐户。
A well-designed rainbow-table generator that has been generating for several months nonstop would have a massive dictionary, and a large portion of accounts are almost guaranteed to be matched in it.
一个经过精心设计的彩虹表生成器已经连续生成了几个月,它将具有庞大的字典,并且几乎可以保证其中的大部分帐目都可以匹配。
In order to address this issue, we salt our hashes. (Hungry yet?)
为了解决这个问题,我们给哈希表加了盐。 (饿了吗?)
Salting is a brilliant idea — it is the adding of a long string to the end of the password before it is hashed. Whenever someone’s account is created, a salt is generated, and the stored password is the hash of the password and the salt. For example, if the password was ‘hi’ and the randomly generated salt was ‘3s8S72l3’, then the stored hash would not be the hash for ‘hi’ but the hash for ‘hi3s8S72l3’. Both the salt and the hash are stored such that when a user logs in, the salt is appended to their password and the hashes are matched.
盐腌是一个绝妙的主意-它是在对哈希进行加密之前在密码末尾添加一个长字符串。 每当创建某人的帐户时,都会生成一个盐,并且存储的密码是密码和盐的哈希值。 例如,如果密码为“ hi”,而随机生成的盐为“ 3s8S72l3”,则存储的哈希将不是“ hi”的哈希,而是“ hi3s8S72l3”的哈希。 盐和哈希值都被存储起来,这样当用户登录时,盐被附加到他们的密码上,并且哈希值被匹配。
With a salt that is sufficiently long, salting hashes can defeat rainbow tables. Rainbow tables are constructed by keeping in mind ideas for ‘common passwords’, like names, adjectives, nouns, and sequences of numbers (like dates or digits of pi), since it is impossible to search for all possible passwords as combinations of characters within a reasonable amount of time.
用足够长的盐,盐渍的哈希可以击败彩虹表。 Rainbow表是通过牢记“通用密码”的概念(例如名称,形容词,名词和数字序列(例如pi的日期或数字))构造的,因为不可能将所有可能的密码作为字符内的组合进行搜索合理的时间。
Think of salts as adding complexity to your password. A five-character password, with a 15-character salt, would become a password with twenty-character complexity and drastically reduce the chance that a rainbow table would contain that hash. So, technically, if you were to sign up for a site that used very heavy salting with the password ‘hi’, you would be safe.
将盐视为增加您密码的复杂性。 五个字符的密码(含15个字符的盐)将成为具有20个字符的复杂性的密码,并大大减少了Rainbow表包含该哈希的机会。 因此,从技术上讲 ,如果您要使用密码“ hi”注册盐分非常重的站点,那将是安全的。
That being said, most sites don’t spend too many resources with heavy salting because they can get long (salts can also sometimes be some function of other data, like your username or the time in which you signed up, to avoid the space required to store it), so it’s better off to follow good password guidelines for security’s sake.
话虽如此,大多数网站不会花费太多资源,因为它们可能会变长(盐有时也可能是其他数据的一部分功能,例如您的用户名或注册时间,以避免占用空间)进行存储),因此,出于安全考虑,最好遵循良好的密码准则。
关键点 (Key Points)
- A hash is used to convert passwords into an encoded form. Hashes cannot be decoded, meaning that even if you have a hash, you will not be able to access the original password. 哈希用于将密码转换为编码形式。 哈希无法解码,这意味着即使您具有哈希,也将无法访问原始密码。
- In order to ensure one-way information flow, hashes utilize a controlled from of information loss. 为了确保单向信息流,散列利用信息损失的受控。
- Rainbow Tables are created by hackers to keep track of inputs and their hashes, which can be matched to recorded hashes to find the original passwords. This method can be very efficient with an effective and lengthy Rainbow Table. Rainbow Tables是由黑客创建的,用于跟踪输入及其哈希,可以将其与记录的哈希进行匹配以找到原始密码。 使用有效且冗长的Rainbow Table,此方法可能非常有效。
- Salting is used to shield against Rainbow Tables by appending salts, or long strings of randomly generated characters, to the end of passwords before they are hashed. This creates an entirely different hash, increases the password’s complexity, and makes it much less computationally feasible for a Rainbow Table attack to work. 盐析用于通过在密码末尾附加盐或长串随机生成的字符的方式添加密码,从而防止彩虹表的出现。 这将创建一个完全不同的哈希,增加了密码的复杂性,并使彩虹表攻击无法正常工作。
翻译自: https://levelup.gitconnected.com/from-hi-to-2y-10-tmnkr-what-happened-to-your-password-f70c869183c4
5198
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
