gpt4 book ai didi

passwords - 密码散列 : PBKDF2 (using sha512 x 1000) vs Bcrypt

转载 作者:行者123 更新时间:2023-12-03 16:11:11 24 4
gpt4 key购买 nike

我一直在阅读有关 Gawker 事件的文章,并且出现了几篇关于仅使用 bcrypt 的文章。散列密码,我想确保我的散列机制足够安全以避免切换到另一种方法。在我目前的申请中,我选择了 PBKDF2使用 sha2-512 和最少 1000 次迭代的实现。

我可以就使用 PBKDF2 与 Bcrypt 以及我是否应该实现更改征求意见吗?

最佳答案

你很擅长 PBKDF2,不需要跳到 bcrypt。

虽然使用 1000 次迭代的建议是在 2000 年提出的,但现在您想要更多。

另外,在使用 bcrypt 时应该更加小心:

It is also worth noting that while bcrypt is stronger than PBKDF2 for most types of passwords, it falls behind for long passphrases; this results from bcrypt’s inability to use more than the first 55 characters of a passphrase While our estimated costs and NIST’s . estimates of passphrase entropy suggest that bcrypt’s 55-character limitation is not likely to cause problems at the present time, implementors of systems which rely on bcrypt might be well-advised to either work around this limitation (e.g., by “prehashing” a passphrase to make it fit into the 55-character limit) or to take steps to prevent users from placing too much password entropy in the 56th and subsequent characters (e.g., by asking users of a website to type their password into an input box which only has space for 55 characters).



From scrypt paper [PDF]

也就是说,还有 scrypt .

如果没有上述 scrypt 论文中的表格,任何比较都是不完整的:

Estimated cost of hardware to crack a password in 1 year.

使用的 PBKDF2-HMAC-SHA256 的迭代计数为 86,000 和 4,300,000。

关于passwords - 密码散列 : PBKDF2 (using sha512 x 1000) vs Bcrypt,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/4433216/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com