lostecho/build-web-application-with-golang
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge commit '4287b77e161f67b1578fd9bc48344569755e9096' into ja

Browse Source
This commit is contained in:
Shin Kojima
2014-12-17 01:14:28 +09:00
parent 9f1c154dc5 4287b77e16
commit 9c6544e84d
1 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
en/eBook/09.5.md
View File

@@ -1,14 +1,14 @@
# 9.5 Password storage
Over a period of time, a lot of websites suffered data breaches user password, which includes top Internet companies - Linkedin.com, CSDN.net, the event swept across the entire domestic Internet, and then it came to more than 8 million users play games information was leaked, another rumor everyone, happy network, a distant community, good margin century, Lily network and other communities are likely to become the next target hackers. The endless stream of similar events to the user's online life a huge impact, feel insecure, because people tend habit of using the same password for different sites, so a"violent Library", all suffer.
Over the years, many websites have suffered from breaches in user password data. Even top internet companies such as Linkedin and CSDN.net have been effected. The impact of these types of events has been felt across the entire internet, and cannot be underestimated. This is especially the case for today's internet users, who often adopt the habit of using the same password for many different websites.
So we as a Web application developer, the choice of password storage scheme, which is easy to fall into the pitfalls and how to avoid these traps?
As web developers, we have many choices when it comes to implementing a password storage scheme. However, this freedom is often a double edged sword. So what are the common pitfalls and how can we avoid falling into them?
## Common solution
## Common solutions
Currently the most used password storage scheme is to make one-way hash plaintext passwords stored after, there is a one-way hash algorithm characteristics: can not hashed summary (digest) recover the original data, which is the"one-way" two source word. Commonly used one-way hash algorithms include SHA-256, SHA-1, MD5 and so on.
Currently, the most frequently used password storage scheme is to one-way hash plaintext passwords before storing them. The most important characteristic of one-way hashing is that it is infeasible to recover the original data given the hashed data -hence the "one-way" in one-way hashing. Commonly used cryptographic, one-way hash algorithms include SHA-256, SHA-1, MD5 and so on.
Go language these three encryption algorithm is as follows:
You can easily use the three aforementioned encryption algorithms in Go as follows:
//import "crypto/sha256"
h := sha256.New()
@@ -25,12 +25,12 @@ Go language these three encryption algorithm is as follows:
io.WriteString(h, "需要加密的密码")
fmt.Printf("%x", h.Sum(nil))
There are two one-way hash features:
There are two key features of one-way hashing:
1) with a one-way hash of the password, the resulting summary is always uniquely determined.
2) calculation speed. As technology advances, a second to complete billions of one-way hash calculation.
1) given a one-way hash of a password, the resulting summary is always uniquely determined.
2) calculation speed. As technology advances, it only takes a second to complete billions of one-way hash calculations.
Combination of the above two characteristics, taking into account the majority of people are using a combination of common password, the attacker can be a combination of all the common password -way hash, get a summary combination, and then a summary of the database for comparison to obtain the corresponding password. This abstract composition is also known as `rainbow table`.
Given the combination of the above two characteristics, and taking into account the fact that the majority of people use some combination of common passwords, the attacker can compute a combination of all the common passwords -way hash, get a summary combination, and then a summary of the database for comparison to obtain the corresponding password. This abstract composition is also known as `rainbow table`.
Therefore, after a one-way encryption of data stored, and stored in plain text is not much difference. Therefore, once the site database leaked, all the user's password itself is revealed to the world.