问题
Currently building a web facing authentication service in Qt for a Quiz program.
It is my understanding that when storing a users password in a database it must be obscured in case it falls into the wrong hands.
The prevailing method appears to be a process of adding Salt to the password and then storing the computed hash of the combination.
This hash can later be compared :
HASH( userinput + SALT ) = StoredHash
Qt provides QCryptographicHash::hash( data, Algorithm method) but as the key is presumably random I do not see how this can be useful.
Alternatively Qt Provides QMessageAuthenticationCode::hash( message, key, Algorithm method) am I correct in thinking that message would be userpassword and key would be pseudo_random(row_id).
I am thinking of using the Sha2-256 Algorithim do I need Cryptographically secure pseudorandom number generator ?
回答1:
The Qt Library components are indeed unsuitable for Cryptography.
libSodiums implementation of Argon plugs in nicely and although relatively new owasp and others are saying good things.
.pro
QMAKE_CXXFLAGS += -lsodium
QMAKE_LFLAGS += -lsodium
One must still enforce or generate strong passwords.
回答2:
The commonly used algorithm for hashing password currently is bcrypt.
There is a simple C++ implementation here
There is two important thing for hashing password:
- Salt, as you stated, to protect against rainbow table attack. Salt should be different for each user.
- Iterative hashing, where you will hash the password several thousands of times to make brute force attack significantly slower.
bcrypt implement both of these.
来源:https://stackoverflow.com/questions/40136573/qt-computing-and-comparing-password-hashs