堆栈内存溢出
  简体   繁体   English

在SQL中最终需要以纯文本格式存储密码的最佳方法是什么?

[英]What would be the best way of storing a password in SQL that needs to eventually be in plain text?

 原文  2014-10-30 12:26:53       c#/ sql/ sql-server/ security

问题描述

For user passwords, we should always hash and salt them and then store the hash and salt in the DB. 对于用户密码,我们应该始终对它们进行哈希处理和加盐处理,然后将哈希值和加盐存储在数据库中。 But what's the best practice for storing passwords that need to be eventually be in plain text? 但是,存储最终需要以纯文本格式存储的密码的最佳实践是什么? I don't feel comfortable storing a plain text password in SQL, but I have to send the password to a library so it can access something. 在SQL中存储纯文本密码时,我感到不舒服,但是我必须将密码发送到库,以便它可以访问某些内容。

My thinking was that I could store an encrypted password on the database server and then decrypt on the web server. 我的想法是,我可以将加密的密码存储在数据库服务器上,然后在Web服务器上解密。 If both are compromised, I'm screwed. 如果两者都受到损害,那我就搞砸了。 But if just one if compromised, the encryption gives me enough time to change the password. 但是,如果只是一个被盗用,则加密使我有足够的时间来更改密码。

What do you all think? 你们怎么想

3 个解决方案

解决方案1
 0  2014-10-30 12:33:53

为了安全起见,只需对密码进行哈希处理并保存,然后可以在需要进行身份验证时将用户密码输入与数据库中的哈希码进行比较。

解决方案2
 0  2014-10-30 12:42:33

If you really need to get plain-text form of password ( which is really not good idea ) you can use symmetric encryption for security user passwords. 如果您确实需要获得纯文本形式的密码(这确实不是一个好主意),则可以对安全用户密码使用对称加密。 But you must figure out how to keep private key in secure. 但是您必须弄清楚如何确保私钥的安全。 I mean you need a private key in your code in order to decrypt data. 我的意思是您需要在代码中使用私钥才能解密数据。 Also all of your developers can access private key which means they can access plain-text too. 同样,您所有的开发人员都可以访问私钥,这意味着他们也可以访问纯文本。

Also I suggest you to read this article. 我也建议您阅读这篇文章。 It's comparing hashing and encrypting user password. 它在比较散列和加密用户密码。 http://www.darkreading.com/safely-storing-user-passwords-hashing-vs-encrypting/a/d-id/1269374 http://www.darkreading.com/safely-storing-user-passwords-hashing-vs-encrypting/a/d-id/1269374

解决方案3
 -1  2014-10-30 12:35:07

Microsoft provide an API for this use case as part of the Crypto API. Microsoft提供了此用例的API ,并将其作为Crypto API的一部分。 It's not particularly easy to work with, but provides much better security than storing keys in text files, or in the database. 它并不是特别容易使用,但是比将密钥存储在文本文件或数据库中提供了更好的安全性。

It's fair to assume that if an attacker can get onto your database server, they have access to every system in your environment; 可以公平地假设,如果攻击者可以进入您的数据库服务器,则他们可以访问您环境中的每个系统。 and even if you think you have "time to change the password", how would you know your system has been compromised? 即使您认为自己有“时间来更改密码”,又怎么会知道您的系统已受到威胁? Most attacks aren't noticed until much, much later... 大多数攻击直到很久以后才被发现...

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 储存密码的最佳方法(无数据库或纯文本)? - Best way to store password (no database or plain text)? 在会话.NET中存储纯文本密码 - Storing plain text password in session .NET 在自动客户端上存储静态密码的最佳方法 - Best way for storing a static password on an automated client 我选择在Microsoft SQL Server 2008中存储纯文本的数据类型是什么? - What data type do I choose for storing plain text in Microsoft SQL Server 2008? 用纯文本解析占位符的最佳实践是什么? - What is the best practice to resolve placeholders in a plain text? 将密码存储到sql的最佳方法 - Best way to store password into sql 加密密码的最佳方法是什么? - What is the best way to encrypt a password? 单击此元素的最佳方法是什么? - What would be the best way to click on this element? 验证XML的最佳方法是什么? - What would be the best way to validate XML? 包装枚举的最佳方法是什么 - What would be the best way to wrap an enum
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM