1: Basic knowledge: Hashing with Salt
We already know that malicious attackers use lookup tables and rainbow tables to crack ordinary hashes How fast encryption is. We have also
learned that using randomly salted hashes can solve this problem. But what kind of salt do we use, and how do we
mix it into a password?
The salt value should be generated using a cryptographically secure pseudo-random number generator (Cryptographically Secure Pseudo-Random
Number Generator, CSPRNG). CSPRNG is very different from ordinary pseudo-random number generators, such as the rand() function of the "C" language. As the name suggests, CSPRNG is designed to be cryptographically secure, meaning it provides highly random, completely unpredictable random numbers. We don't want the salt value to be predictable, so CSPRNG must be used.
The following table lists some CSPRNG methods of current mainstream programming platforms.
PlatformJava | |
##Dot NET (C#, VB) | System.Security.Cryptography.RNGCryptoServiceProvider |
Ruby | SecureRandom |
Python | os.urandom |
Perl | Math::Random::Secure |
C/C++ (Windows API) | CryptGenRandom |
Any language on GNU/Linux or Unix | Read from /dev/random or /dev/urandom |
A unique salt value must be used for each password of each user. Each time a user creates an account or changes their password, the password should have a new random salt value. |
Use CSPRNG to generate a random salt value long enough.
Mix the salt into the password and encrypt it using a standard password hashing function, such as Argon2, bcrypt, scrypt, or PBKDF2.Retrieve the user’s salt value from the database and the corresponding hash value.
Mix the salt value into the password entered by the user and encrypt it using a common hash function.The above is the detailed content of How should passwords be stored securely?. For more information, please follow other related articles on the PHP Chinese website!