Fix grammar and clarify sentences for 09.5.md [en]
This commit is contained in:
Anchor
James Miranda
@@ -30,19 +30,19 @@ There are two key features of one-way hashing:
|
||||
1) given a one-way hash of a password, the resulting summary is always uniquely determined.
|
||||
2) calculation speed. As technology advances, it only takes a second to complete billions of one-way hash calculations.
|
||||
|
||||
Given the combination of the above two characteristics, and taking into account the fact that the majority of people use some combination of common passwords, the attacker can compute a combination of all the common passwords -way hash, get a summary combination, and then a summary of the database for comparison to obtain the corresponding password. This abstract composition is also known as `rainbow table`.
|
||||
Given the combination of the above two characteristics, and taking into account the fact that the majority of people use some combination of common passwords, an attacker can compute a combination of all the common passwords. Even though the passwords you store in your database may be hash values only, if attackers gain access to this database, they can compare the stored hashes to their precomputed hashes to obtain the corresponding passwords. This type of attack relies on what is typically called a `rainbow table`.
|
||||
|
||||
Therefore, after a one-way encryption of data stored, and stored in plain text is not much difference. Therefore, once the site database leaked, all the user's password itself is revealed to the world.
|
||||
We can see that encrypting user data using one-way hashes may not be enough. Once a website's database gets leaked, the user's original password could potentially be revealed to the world.
|
||||
|
||||
## Advanced solution
|
||||
|
||||
Through the above description we know that hackers can use the `rainbow table` to crack hashed passwords, largely because the hash algorithm used to encrypt is public. If a hacker does not know what encryption hash algorithm, that he will not start up.
|
||||
Through the above description, we've seen that hackers can use `rainbow table`s to crack hashed passwords, largely because the hash algorithm used to encrypt them is public. If the hackers do not know what the encryption algorithm is, they wouldn't even know where to start.
|
||||
|
||||
An immediate solution is to design their own a hash algorithm. However, a good hash algorithm is very difficult to design - both to avoid the collision, but also can not have obvious rule, these two points to be much more difficult than expected. Therefore, more practical applications is the use of many existing hash hash algorithm.
|
||||
An immediate solution would be to design your own hash algorithm. However, good hash algorithms can be very difficult to design both in terms of avoiding collisions and making sure that your hashing process is not too obvious. These two points can be much more difficult to achieve than expected. For most of us, it's much more practical to use the existing, battle hardened hash algorithms that are already out there.
|
||||
|
||||
But simply repeated hash, still could not stop hackers. Twice MD5, MD5 three such methods, we can think of, hackers can think naturally. Especially for some of the open source code, so that it is equivalent to the hash algorithm directly to tell a hacker.
|
||||
But, just to repeat ourselves, one-way hashing is still not enough to stop more sophisticated hackers from reverse engineering user passwords. Especially in the case of open source hashing algorithms, we should never assume that a hacker does not have intimate knowledge of our hashing process.
|
||||
|
||||
No unassailable shield, but there is no off constantly spear. Now security is relatively good site, will use a technique called" salt" way to store passwords, it is often said that"salt". Their usual practice is to first conduct a user-entered password MD5 (or other hash algorithm) encryption ; MD5 values will be only an administrator before they know plus some random string, and then conduct a MD5 encryption. The random string can be included in certain fixed string, and can include the user name (used to ensure that each user is not the same encryption key used).
|
||||
Of course, there are no impenetrable shields, but there are also no unbreakable spears. Nowadays, any website with decent security will use a technique called "salting" to store passwords securely. This practice involves concatenating a server-generated random string to a user supplied password, and using the resulting string as an input to a one-way hash function. The username can be included in the random string to ensure that each user has a unique encryption key.
|
||||
|
||||
//import "crypto/md5"
|
||||
// Assume the username abc, password 123456
|
||||
@@ -63,31 +63,33 @@ No unassailable shield, but there is no off constantly spear. Now security is re
|
||||
|
||||
last :=fmt.Sprintf("%x", h.Sum(nil))
|
||||
|
||||
In two salt did not reveal circumstances, if the hacker is the last to get the encrypted string, it is almost impossible to figure out what the original password.
|
||||
In the case where our two salt strings have not been compromised, even if hackers do manage to get their hands on the encrypted password string, it will be almost impossible to figure out what the original password is.
|
||||
|
||||
## Professional solution
|
||||
|
||||
Advanced solutions above a few years ago may be safe enough solution because the attacker does not have enough resources to build so many `rainbow table`. However, so far, because the parallel computing capabilities of the upgrade, this attack has been completely feasible.
|
||||
The advanced methods mentioned above may have been secure enough to thwart most hacking attempts a few years ago, since most attackers would not have had the computing resources to compute large `rainbow table`s. However, with the rise of parallel computing capabilities, these types of attacks are becoming more and more feasible.
|
||||
|
||||
How to solve this problem? As long as time and resources permit, without a password can not be deciphered, so the solution is: Calculate the required password deliberately increase the resources and time consuming, so nobody sufficient resources available to establish the required `rainbow table`.
|
||||
How do we securely store a password so that it cannot be deciphered by a third party, given real life limitations in time and memory resources? The solution is to calculate a hashed password to deliberately increase the amount of resources and time it would take to crack it. We want to design a hash such that nobody could possibly have the resources required to compute the required `rainbow table`.
|
||||
|
||||
Such programs have a feature, the algorithm has a factor used to calculate the digest of the password needed to indicate the resources and time, which is computationally intensive. The greater the intensity calculation, an attacker establishes `rainbow table` more difficult, so that can not continue.
|
||||
Very secure systems utilize hash algorithms that take into account the time and resources it would require to compute a given password digest. This allows us to create password digests that are computationally expensive to perform on a large scale. The greater the intensity of the calculation, the more difficult it will be for an attacker to pre-compute `rainbow table`s -so much so that it may even be infeasible to try.
|
||||
|
||||
It is recommended `scrypt` program, scrypt by the famous hacker Colin Percival of the FreeBSD backup service Tarsnap for his development.
|
||||
In Go, it's recommended that you use the `scrypt` package, which is based on the work of the famous hacker Colin Percival (of the FreeBSD backup service Tarsnap).
|
||||
|
||||
Go language which is currently supported by the library http://code.google.com/p/go/source/browse?repo=crypto#hg%2Fscrypt
|
||||
The packge's source code can be found at the following link: http://code.google.com/p/go/source/browse?repo=crypto#hg%2Fscrypt
|
||||
|
||||
Here is an example code snippet which can be used to obtain a derived key for an AES-256 encryption:
|
||||
|
||||
dk: = scrypt.Key([]byte("some password"), []byte(salt), 16384, 8, 1, 32)
|
||||
|
||||
Through the above method can obtain only the corresponding password value, which is by far the most difficult to crack.
|
||||
You can generate unique password values using the above method, which are by far the most difficult to crack.
|
||||
|
||||
## Summary
|
||||
|
||||
See here, if you had a sense of crisis, then action:
|
||||
If you're worried about the security of your online life, you can take the following steps:
|
||||
|
||||
1) If you are a regular user, then we recommend LastPass for password storage and generation, on different sites use different passwords.
|
||||
1) As a regular internet user, we recommend using LastPass for password storage and generation; on different sites use different passwords.
|
||||
|
||||
2) If you are a developer, then we strongly suggest you use expert program for password storage.
|
||||
2) As a Go web developer, we strongly suggest that you use one of the professional, well tested methods above for storing user passwords.
|
||||
|
||||
## Links
|
||||
|
||||
|
||||
Reference in New Issue
Block a user