简体繁体 English

如何在不将密码保存在数据库中的情况下对用户进行身份验证

[英]how to authenticate users without saving passwords in database

原文 2015-02-21 12:35:39 6 2 security/ authentication/ passwords/ onlinebanking

I am developing a banking demo application.我正在开发银行演示应用程序。 In my region users log-in to their bank website and do some transaction based on two fields that they have(You can assume two passwords- we call them cvv2 and Second-Password).在我所在的地区，用户登录他们的银行网站并根据他们拥有的两个字段进行一些交易（您可以假设两个密码 - 我们将它们称为 cvv2 和 Second-Password）。 These two passwords are only using for internet or mobile transactions.这两个密码仅用于互联网或移动交易。

I am sure that they do not save these passwords in database;我确信他们不会将这些密码保存在数据库中； because if they save these passwords in database, then the database administrator can use them and do fake transaction without real user permission.因为如果他们将这些密码保存在数据库中，那么数据库管理员可以在没有真正用户许可的情况下使用它们并进行虚假交易。

By the way the question is that how the bank and its web site authenticate users and check that the entered fields(that two passwords) are right when they do not save these passwords in the data base.顺便说一句，问题是银行及其网站如何验证用户身份并检查输入的字段（这两个密码）是否正确，但当他们没有将这些密码保存在数据库中时。

2 个解决方案

Most banking systems today, do not rely on simple passwords, they have a two-factor authentication inplace. 今天的大多数银行系统不依赖于简单的密码，它们具有双因素身份验证。 This could be for example an independend device to generate a code using your credit-card, or a least a TAN list. 这可以是例如使用您的信用卡生成代码的独立设备，或者至少是TAN列表。

When they store a password (usually done in combination with other security measures), then you can be sure that they store a hash of the password. 当他们存储密码（通常与其他安全措施结合使用）时，您可以确保他们存储密码的哈希值 。 A hash is one-way, you cannot get back the original password from it. 哈希是单向的，你无法从中获取原始密码。 Good hash algorithms for storing passwords are BCrypt, PBKDF2 or SCrypt, because they offer a cost factor. 用于存储密码的良好哈希算法是BCrypt，PBKDF2或SCrypt，因为它们提供了成本因子。 If you are interested to read more about the topic, you can have a look at my tutorial abour securely storing passwords. 如果您有兴趣阅读有关该主题的更多信息，可以查看我的教程，安全地存储密码。

I am new to this but found a way to not store the password in the database and still authenticate the user.我对此很陌生，但找到了一种不将密码存储在数据库中并仍对用户进行身份验证的方法。

You can create a payload of username and password, something like "username + password" and then hash it using bcrypt or any other algorithms.您可以创建用户名和密码的有效负载，例如“用户名 + 密码”，然后使用 bcrypt 或任何其他算法对其进行哈希处理。

Store this hash in the database with the username field.将此哈希值与用户名字段一起存储在数据库中。 In this way, the password won't be stored anywhere.这样，密码就不会存储在任何地方。

Next time you want to authenticate you can take the username and password and generate the hash from it and match which is present in the database.下次您要进行身份验证时，您可以获取用户名和密码并从中生成哈希值并匹配数据库中存在的值。 Only the correct password will result in same hash.只有正确的密码才会产生相同的哈希值。

Please correct me if I am wrong and there is an flaw in this.如果我错了，请纠正我，这有缺陷。