How To Safely Store A Password
2015-10-14 13:45
447 查看
Coda Hale
{ writing, projects, about, contact }
How To Safely Store A Password
31 Jan 2010
Use bcrypt
Use bcrypt. Use bcrypt.Use bcrypt. Use bcrypt.
Use bcrypt. Use bcrypt.
Use bcrypt. Use bcrypt.
Use bcrypt.
Why Not {MD5
, SHA1
, SHA256
, SHA512
, SHA-3
,
etc}?
These are all general purpose hash functions, designed to calculate a digest of huge amounts of data in as short a time as possible. This means that they are fantastic for ensuring the integrity of data and utterly rubbishfor storing passwords.
A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords
which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds.
And that’s without investing anything.
If you’re willing to spend about 2,000 USD and a week or two picking up CUDA, you can put together
your own little supercomputer cluster which will let you try around 700,000,000 passwords a second.
And that rate you’ll be cracking those passwords at the rate of more thanone per second.
Salts Will Not Help You
It’s important to note that salts are useless for preventing dictionary attacks or brute force attacks. You can use huge salts or many salts or hand-harvested, shade-grown, organicHimalayanpink salt. It doesn’t affect how fast an attacker can try a candidate password, given the hash and the salt from your database.
Salt or no, if you’re using a general-purpose hash function designed for speed you’re well and truly effed.
bcrypt
Solves These Problems
How? Basically, it’s slow as hell. It uses a variant of the Blowfish encryption algorithm’s keying schedule, and introduces a work factor, which allows you to determine how expensive the hash function will be. Becauseof this,
bcryptcan keep up with Moore’s law. As computers get faster
you can increase the work factor and the hash will get slower.
How much slower is
bcryptthan, say,
MD5?
Depends on the work factor. Using a work factor of 12,
bcrypthashes
the password
yaaain about 0.3 seconds on my laptop.
MD5,
on the other hand, takes less than a microsecond.
So we’re talking about 5 or so orders of magnitude. Instead of cracking a password every 40 seconds, I’d be cracking them every 12 years or so. Your passwords might not need that
kind of security and you might need a faster comparison algorithm, but
bcryptallows
you to choose your balance of speed and security. Use it.
tl;dr
Use bcrypt.
Updated February 24th, 2011
I’ve been getting pretty regular emails about this article for the past year, and I figured I’d address some of the concerns here rather than have the same conversations over and over again.Isn’t
bcryptjust Blowfish? Where do you store the password?
Please read the Provos & Mazières paper.
bcryptis
an adaptive password hashing algorithm which uses the Blowfish keying schedule, not a symmetric encryption algorithm.
You said salts aren’t helpful, but what about rainbow tables? Why would you suggest people not use salts?
As the Provos & Mazières paper describes,
bcrypthas
salts built-in to prevent rainbow table attacks. So I’m not saying salts are without purpose, I’m saying that they don’t prevent dictionary or brute force attacks (which they don’t).
Rainbow tables, despite their recent popularity as a subject of blog posts, have not aged gracefully. CUDA/OpenCL implementations of password crackers can leverage the massive amount of parallelism available in GPUs, peaking at billions
of candidate passwords a second. You can literally test all lowercase, alphabetic passwords which are ≤7 characters in less than 2 seconds. And you can now rent the hardware which makes this possible to the tune of less
than $3/hour. For about $300/hour, you could crack around 500,000,000,000 candidate passwords a second.
Given this massive shift in the economics of cryptographic attacks, it simply doesn’t make sense for anyone to waste terabytes of disk space in the hope that their victim didn’t use a salt. It’s a lot easier to just crack the passwords. Even a “good” hashing
scheme of
SHA2256(salt ∥ password)is
still completely vulnerable to these cheap and effective attacks, thus the importance of an adaptive hashing algorithm like
bcrypt.
Read More
The Rest Of The Story (29 Nov 2011)You Can’t Sacrifice Partition Tolerance (07
Oct 2010)
FOSS and Male Privilege (27 Aug 2009)
A Lesson In Timing Attacks (or, Don’t use MessageDigest.isEquals) (13
Aug 2009)
How Not To Fix A Security Bug (14 Jun
2009)
What Makes Jersey Interesting:
Injection Providers (16 May 2009)
Ruby and Male Privilege (10 May 2009)
When Formality Works (07 May 2009)
What Makes Jersey Interesting:
Parameter Classes (02 May 2009)
bcryptjs
相关文章推荐
- JS学习之作用域
- jquery设置input disabled属性的示例
- js正则表达式判断一个字符串是否是正确的有数字和小数点组成的金钱形式和 判读数值类型的正则表达式
- [转载]html Meta标签详解
- javascript时间戳和日期字符串相互转换
- Java实现缓存页面中不变的元素,JS,CSS,图片等
- 复选框全选和反选并读取提交后的内容
- jquery插件ztree的总结
- 实现add(2)(3)(4)得出结果为 9
- html 事件
- 13-Jquery其他效果下载
- jquery全选小功能
- JSON
- Web前端开发规范文档你需要知道的事
- 前端开发--实战篇
- nodejs express框架解决跨越问题
- html5和Css3 的参考手册(中文chm版)
- Angularjs与bootstrap.datetimepicker结合实现日期选择器
- JavaScript 时间特效 显示当前时间
- CSS3 Box-sizing属性以及解决兼容性的一些做法