I am programming a new site in JSF. At the moment i program the Login.
I used md5 some years ago, but with Rainbow Tables i think its noch safe anymore.
So, how should i store the Password in the Database ?
问题:
回答1:
Here is excellent, detailed guide: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2007/july/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/
回答2:
The first thing you want to do is look for a pre-built system from your vendor. You want to push as much as this as possible to someone who writes security code for a living, because it's very easy to get wrong in subtle ways that you don't even know about until it's too late. This way you'll also be able to get service updates from them and so you just don't have to think about it anymore.
Beyond that, remember to generate a per-account salt to go with your password, and use a secure hashing algorithm (md5 is meant for speed, not necessarily security). SHA1 is pretty common, though it's starting to get old, too.
回答3:
I suggest hashing with sha512 and salting. (Store a random value for everyone and hash the password and that value together.)
回答4:
If you look up PKCS#5 (or better, find a reputable implementation that already does it), you'll find a pretty good mechanism.
Basically, you pick a number (say 500), a password, a hash algorithm, and a salt (random data added to the end of the password to make it less guessable).
- Take the password, salt it, and hash it.
- Take the result, salt that (Same salt) and has that.
- Repeat step 2 N times (in this example, N is 500).
- Store the final hashed, salted result, along with N and the salt itself in your password database.