天道酬勤,学无止境

saltedhash

Hashing and Salting Passwords with Spring Security 3

How can I hash passwords and salt them with Spring Security 3?

2021-11-21 06:26:09    分类:问答    java   spring   hash   spring-security   saltedhash

Can a password be cracked with this information?

In the screenshot there is a browser cookie with an encrypted seed hex and a salt hex. It is possible to find out the seed from this information? Why? Why not? Thanks!

2021-11-14 09:10:22    分类:问答    json   encryption   cryptography   private-key   saltedhash

记住用户复选框的好安全方法(Good secure way to remember a user checkbox)

问题 我有一个要求输入用户名和密码的登录页面。 此页面有一个复选框“记住我”。 身份验证是:对于提供的用户名,使用存储在用户 db 记录中的 salt 将提供的密码转换为散列,并将散列与存储的散列进行比较。 当用户勾选此框时,我应该在他们的 cookie 中存储什么,以便他们下次访问时自动登录? 我认为一个好方法是将他们的用户名和密码的散列值存储在 cookie 中,并在下次访问时重新验证用户。 盐将被保存在数据库中。 回答1 我不会在客户端 cookie 中存储散列密码。 我会在用户和长期会话之间创建另一个抽象。 我将首先阅读以下文章,以了解有关挑战的一些想法: http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/ 那篇文章的关键部分是,并非所有登录都应该创建相同。 回答2 这取决于您要维护的安全级别。 当我选中“记住我”框时,我只希望它记住我的用户名。 我仍然想像往常一样提供我的密码。 将用户名和散列密码存储在 cookie 中,对我来说似乎是个坏主意。 回答3 如果你真的想让用户保持登录状态,那么你应该在 cookie 中存储一个唯一的登录令牌,而不是用户名或散列密码。 当您的服务器收到登录令牌时,您可以将其与持久登录用户的数据库进行比较,并查看该令牌对应于哪个用户。

2021-10-31 10:22:54    分类:技术分享    asp.net-mvc-3   security   cookies   passwords   saltedhash

bcrypt node.js(自动生成盐和哈希)(bcrypt node.js (auto-gen a salt and hash))

问题 在将用户密码存储在我的数据库中之前,我使用以下代码来散列(并希望是加盐)用户密码。 // hash the password before the user is saved ConsultantSchema.pre('save', function(next) { var user = this; // hash the password only if the password has been changed or user is new if (!user.isModified('password')) return next(); // generate the hash bcrypt.hash(user.password, null, null, function(err, hash) { if (err) { logger.error("bcrypt.hash "+err); return next(err); } // change the password to the hashed version user.password = hash; next(); }); }); 我感到困惑的是,部分 bcrypt.hash(user.password, null, null, function(err, hash) { 我从教程中得到了这段代码

2021-10-15 22:52:42    分类:技术分享    node.js   hash   bcrypt   salt   saltedhash

Good secure way to remember a user checkbox

I have a login page which asks for a username and password. This page has a checkbox "Remember Me". Authentication is: For the username provided, convert the provided password to a hash using the salt stored with the user db record and compare the hash to the stored hash. When a user ticks the box, what should I store in their cookie so they auto login next time they visit? I was thinking that a good way was to store their username and a hashed value of their password in a cookie and to re authenticate the user on their next visit. The salt will be kept away stored in a database.

2021-09-30 13:00:21    分类:问答    asp.net-mvc-3   security   cookies   passwords   saltedhash

bcrypt node.js (auto-gen a salt and hash)

I am using the following code to hash (and hopefully salt) user passwords before I store them in my DB. // hash the password before the user is saved ConsultantSchema.pre('save', function(next) { var user = this; // hash the password only if the password has been changed or user is new if (!user.isModified('password')) return next(); // generate the hash bcrypt.hash(user.password, null, null, function(err, hash) { if (err) { logger.error("bcrypt.hash "+err); return next(err); } // change the password to the hashed version user.password = hash; next(); }); }); What I am confused about, is the

2021-09-01 09:50:01    分类:问答    node.js   hash   bcrypt   salt   saltedhash

创建盐渍哈希密码的正确方法(Correct way of creating salted hash password)

问题 我是在数据库上存储密码的新手,根据我阅读的内容,我在下面创建了一个简单的 php 脚本 <?php $salt = openssl_random_pseudo_bytes (16); $password = "test"; $hash = hash ("sha512" , $salt . $password); echo $hash; ?> 我这样做正确吗? 盐应该作为字节数据类型存储在数据库中吗? 最终的哈希值是否应该存储在数据库中的 String 数据类型中? 回答1 SHA* 算法不适用于散列密码,因为它们太快了,因此可能会被暴力破解得太快。 相反,应该使用像 BCrypt 或 PBKDF2 这样的慢算法,它具有成本因素,可以控制必要的时间。 PHP 通过新函数 password_hash() 支持 BCrypt 算法。 还有一个适用于早期 PHP 版本的兼容包。 // Hash a new password for storing in the database. // The function automatically generates a cryptographically safe salt. $hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT); // Check if the hash

2021-09-01 04:59:22    分类:技术分享    php   security   hash   salt   saltedhash

Spring security password hash + salt

I am working with a legacy application that stored passwords in plaintext. I have ported the application to spring 3 mvc + security. I have also successfully gotten spring security handling the authentication and authorization using sha256 + a salt based on the username. This all works great, however as part of the deployment, I will need to migrate the existing database to use the new password schema. I am not sure how spring security does it's password hashing with a salt, so i am unable to write a sql script that can be used to migrate the old plaintext passwords to the new sha256+salt

2021-06-27 04:47:26    分类:问答    java   spring   spring-security   salt   saltedhash

Correct way of creating salted hash password

I am new to storing passwords on databases and from what I read I have created a simple php script below <?php $salt = openssl_random_pseudo_bytes (16); $password = "test"; $hash = hash ("sha512" , $salt . $password); echo $hash; ?> Am I doing this correctly? Should the salt be stored in databases as byte datatype? Should the final hash be stored at String datatype in database?

2021-06-27 01:27:35    分类:问答    php   security   hash   salt   saltedhash

How to design system to allow migration of encryption?

I want to set up a system where I am allow to migrate encrypted password (hash password), from one system to another. How would i do this? Say 2 month down the line, i found a encryption that is 10 times better and the current hash function has been proven without a doubt, totally vulnerable. How would I go about migrating user password from one type of hash to another (the better one).

2021-06-10 11:13:51    分类:问答    encryption   hash   passwords   migration   saltedhash