問題:
I've always used a proper per-entry salt string when hashing passwords for database storage.在爲數據庫存儲散列密碼時,我總是使用正確的每個條目的鹽字符串。 For my needs, storing the salt in the DB next to the hashed password has always worked fine.根據我的需要,將鹽存儲在散列密碼旁邊的數據庫中一直工作正常。
However, some people recommend that the salt be stored separately from the database.但是,有些人建議將鹽與數據庫分開存儲。 Their argument is that if the database is compromised, an attacker can still build a rainbow table taking a particular salt string into account in order to crack one account at a time.他們的論點是,如果數據庫遭到破壞,攻擊者仍然可以構建彩虹表,將特定的鹽串考慮在內,以便一次破解一個帳戶。 If this account has admin privileges, then he may not even need to crack any others.如果這個賬戶有管理員權限,那麼他可能甚至不需要破解任何其他人。
From a security perspective, is it worth it to store salts in a different place?從安全的角度來看,將鹽存放在不同的地方是否值得? Consider a web application with the server code and DB on the same machine.考慮在同一臺機器上具有服務器代碼和數據庫的 Web 應用程序。 If the salts are stored in a flat file on that machine, chances are that if the database is compromised, the salts file will be, too.如果鹽存儲在該機器上的平面文件中,則很可能如果數據庫受到損害,鹽文件也將受到損害。
Are there any recommended solutions to this?是否有任何推薦的解決方案?
解決方案:
參考一: https://stackoom.com/question/57Ln參考二: Where do you store your salt strings?