Salting: Is it reasonable to use the user name?

前端 未结 6 2002
礼貌的吻别
礼貌的吻别 2021-02-20 16:53

I am debating using user-names as a means to salt passwords, instead of storing a random string along with the names. My justification is that the purpose of the salt is to prev

6条回答
  •  伪装坚强ぢ
    2021-02-20 17:26

    Random salting prevents comparison of two independently-computed password hashes for the same username. Without it, it would be possible to test whether a person's password on one machine matched the one on another, or whether a password matched one that was used in the past, etc., without having to have the actual password. It would also greatly facilitate searching for criteria like the above even when the password is available (since one could search for the computed hash, rather than computing the hash separately for each old password hash value).

    As to whether such prevention is a good thing or a bad thing, who knows.

提交回复
热议问题