堆栈内存溢出
  简体   繁体   English

从python访问哈希的mysql密码

[英]Access hashed mysql password from python

 原文  2013-06-23 18:00:13       python/ mysql/ encryption/ hash

问题描述

This seems somewhat trival but I have spent a bit of time googling with no results. 这似乎有些琐碎,但我花了一些时间在Google搜索上没有结果。 Anyways I am developing a web app and I need to store 'sensitive' data in a mysql database and then access it to authenticate api calls from python. 无论如何,我正在开发一个Web应用程序,我需要将“敏感”数据存储在mysql数据库中,然后访问它以验证来自python的api调用。 I am no security expert but I have a basic understanding of hashing and encrypting. 我不是安全专家,但是我对散列和加密有基本的了解。

I know how to encrypt the data with aes_decrypt aes_encrypt and I also know how to hash the data using the password() function supplied by mysql. 我知道如何使用aes_decrypt aes_encrypt加密数据,并且我也知道如何使用mysql提供的password()函数对数据进行哈希处理。

My first question is should I be encrypting this data or hashing it? 我的第一个问题是我应该对该数据进行加密还是对其进行哈希处理? My second question is I do not know how to 'access' or 'use' the password information in python once I hash it using the password() function in mysql. 我的第二个问题是,一旦我在mysql中使用password()函数对其进行哈希处理,就不知道如何在python中“访问”或“使用”密码信息。

Any help is much appreciated. 任何帮助深表感谢。

1 个解决方案

解决方案1
 0  2013-06-23 18:17:36

Firstly I am no python expert, my answer is only aimed for a general approach. 首先,我不是python专家,我的回答只是针对一般方法。

Passwords in web applications are usually stored as hashes, not encrypted, this basically makes it harder for someone to get them if your table is compromised. Web应用程序中的密码通常存储为散列,而不是加密的,这基本上使如果您的表被盗用,某人很难获得它们。 Hashes should be generated as solid as possible. 散列应尽可能地坚实。 Please do not just a MD5, better use something more secure (from todays perspective) and salt it properly to minimize the risk of rainbow attacks. 请不仅仅是MD5,最好使用更安全的东西(从今天的角度来看),并对其进行适当的撒盐处理,以最大程度地减少彩虹攻击的风险。

I wouldn't use the MySQL Password() function for this. 我不会为此使用MySQL Password()函数。 The documentation says: 文件说:

The PASSWORD() function is used by the authentication system in MySQL Server; PASSWORD()函数由MySQL Server中的身份验证系统使用; you should not use it in your own applications. 您不应在自己的应用程序中使用它。 For that purpose, consider MD5() or SHA2() instead. 为此,请考虑使用MD5()SHA2()

This leaves SHA2() , if you want to hash with MySQL, though don't forget to salt the string before hashing. 如果您想使用MySQL进行哈希处理,则将保留SHA2() ,尽管不要忘记在哈希处理前先对字符串加盐。 My way of doing it would be to hash the string with your application (see python hashli b for reference), salt it like this and then just store the hash in the database. 我的方法是使用应用程序对字符串进行哈希处理(请参阅python hashli b以供参考), 像这样对其进行加盐处理 ,然后将哈希存储在数据库中。 This avoids security issues of your data between your application and the database server. 这样可以避免应用程序和数据库服务器之间的数据安全性问题。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何从 Python 中的数据库中减去哈希密码 - How to substract a hashed password from database in Python 无法使用Python从PostgreSQL数据库检索哈希密码 - Can't retrieve hashed password from postgreSQL Database with Python Python中的哈希密码验证不起作用 - Hashed password authentication in Python not working 在python中恢复盐腌和哈希密码 - Recover a salted and hashed password in python 搜索哈希密码文件Python - Search Hashed Password File Python PyMongo 如何在没有用户名的情况下访问散列密码 - PyMongo how to access hashed password without username 将bcrypt密码哈希从PHP迁移到Python - ValueError:无效的hashed_pa​​ssword salt - Migrate bcrypt password hash from PHP to Python - ValueError: Invalid hashed_password salt 如何将散列密码与 Python 中的 Input() 进行比较? - How to compare hashed password to Input() in Python? Python哈希密码可在其他脚本中使用? - Python hashed password to use in different script? 使用Python和Pexpect返回本地哈希密码 - Using Python and Pexpect to return localhost hashed password
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM