共 (2) 个答案

1. # 1 楼答案

   你能做的就是得到一个：

   StringBuilder salt=new StringBuilder();
   salt.append("MySuperSecretSalt");
   MessageDigest md = MessageDigest.getInstance("SHA-256");
   String text = "This is text to hash";
   salt.append(text);    
   md.update(salt.toString().getBytes("UTF-8")); // Change this to "UTF-16" if needed
   byte[] digest = md.digest();
   

   您的摘要现在包含字符串+盐的散列，因此它有助于防止彩虹表

2. # 2 楼答案

   我建议使用基于密码的密钥派生函数，而不是基本的哈希函数。比如：

   // tuning parameters
   
   // these sizes are relatively arbitrary
   int seedBytes = 20;
   int hashBytes = 20;
   
   // increase iterations as high as your performance can tolerate
   // since this increases computational cost of password guessing
   // which should help security
   int iterations = 1000;
   
   // to save a new password:
   
   SecureRandom rng = new SecureRandom();
   byte[] salt = rng.generateSeed(seedBytes);
   
   Pkcs5S2ParametersGenerator kdf = new Pkcs5S2ParametersGenerator();
   kdf.init(passwordToSave.getBytes("UTF-8"), salt, iterations);
   
   byte[] hash =
       ((KeyParameter) kdf.generateDerivedMacParameters(8*hashBytes)).getKey();
   
   // now save salt and hash
   
   // to check a password, given the known previous salt and hash:
   
   kdf = new Pkcs5S2ParametersGenerator();
   kdf.init(passwordToCheck.getBytes("UTF-8"), salt, iterations);
   
   byte[] hashToCheck =
       ((KeyParameter) kdf.generateDerivedMacParameters(8*hashBytes)).getKey();
   
   // if the bytes of hashToCheck don't match the bytes of hash
   // that means the password is invalid