[英]How to store thirdparty passwords without reading them
I need help with a situation I can't get my head around. 在无法解决的情况下,我需要帮助。 I need to store a password from a third-party service, and I dont want it to be human-readable.
我需要存储来自第三方服务的密码,并且我不希望它是人类可读的。
I came up with a (possibly dumb) solution: my service generates a secret key that encrypts/decrypts the password, and it uses that key to decrypt the password, when access third-party service is needed, and encrypt it when in need to store it. 我想出了一个(可能很愚蠢的)解决方案:我的服务生成一个加密/解密密码的秘密密钥,并在需要访问第三方服务时使用该密钥解密密码,并在需要时加密该密码。储存它。
The question is my solution safe? 问题是我的解决方案安全吗? Is it good or bad?
是好还是坏? Is there a better approach?
有没有更好的方法? Could you please point directions?
您能指点一下方向吗?
Storing retrievable passwords is probably one of the hardest tasks in cryptography. 存储可检索密码可能是密码术中最困难的任务之一。 Your application needs to get those passwords plaintext, and the same can do an attacker with enough privileges.
您的应用程序需要以明文形式获得这些密码,并且攻击者也可以使用足够的特权来获得这些密码。 There are some common ways to solve this problem though:
但是,有一些常见的方法可以解决此问题:
None of the systems above are bullet proof, the application itself has to be able to get the passwords after all. 上面的系统都不是防弹的,毕竟应用程序本身必须能够获得密码。 This is why one tries to avoid storing passwords completely (eg storing hashes) if possible.
这就是为什么要尽可能避免完全存储密码(例如存储哈希)的原因。
If you can afford dedicated hardware, you could either out-source the password management to a second server which is not accessible from the internet, or you could think about purchasing a hardware secuity modules . 如果您能负担得起专用硬件,则可以将密码管理外包给无法从Internet访问的第二台服务器,或者可以考虑购买硬件安全模块 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.