如何管理Web应用程序中的密码?
[英]How to manage passwords in web applications?
问题描述
What is the current state of the art method for persisting users passwords in web applications? 
在Web应用程序中保留用户密码的最新技术水平是什么? I am working with Java 6 + MySQL. 我正在使用Java 6 + MySQL。 Some of the questions I have in mind are: Is it better to encode in the app or by means of the DBMS (is this relevant at all)? 我想到的一些问题是:在应用程序中编码还是通过DBMS编码更好(这是否完全相关)? Which algorithm is considered to be reliable? 哪种算法被认为是可靠的? What to store in the database? 在数据库中存储什么? Really new to this stuff, so might have missed some critical details in which case please do not hesitate to let me know. 这个东西真的很新,所以可能错过了一些关键细节,在这种情况下,请不要犹豫让我知道。
Thank you. 谢谢。
3 个解决方案
解决方案1
3 已采纳 2011-03-16 03:32:24
You should store securely hashed and salted version of passwords to the database. 您应当妥善保存散列和盐腌密码版本的数据库。 So that if your site is hacked, since users use the same pass almost everywhere their other accounts are not compromised. 这样一来,如果您的网站遭到黑客入侵,由于用户几乎在所有其他帐户都不会受到影响的情况下使用相同的通行证。
To do this, the following should be done: 为此,应执行以下操作:
- Use a secure hashing algorithm that is not yet broken (SHA-512 preferably, Sha1 and MD5 are broken ) 使用尚未破解的安全哈希算法(最好是SHA-512, Sha1和MD5都已破解 )
- Concatenate Username+Password+Salt (salt should be a relatively long constant string which is the same through the time on your application, and prevents Rainbow Attacks to some effort) 连接用户名+密码+盐 (盐应该是一个相对较长的常量字符串,该字符串在您的应用程序中始终是相同的,并且可以避免“彩虹攻击”)
- SHA-512 result of the concatenation and store it in the database. SHA-512的合并结果并将其存储在数据库中。
- everytime a user tries to login, hash his/her credentials using the same method and check against the data in the database, if the same, its correct. 每次用户尝试登录时,请使用相同的方法对他/她的凭据进行哈希处理,并对照数据库中的数据(如果相同)检查其是否正确。
It is not important where you hash passwords (App or DB) but DB's have limited secure hashing functionality, so app is the better choice. 哈希密码(应用程序或数据库)的位置并不重要,但是数据库具有有限的安全哈希功能,因此应用程序是更好的选择。
解决方案2
3 2011-03-16 03:33:03
bcrypt is a reliable algorithm for password hashing. bcrypt是一种可靠的密码哈希算法。 It's been created by security professionals with security in mind. 它是由安全专业人员在考虑安全性的情况下创建的。
bcrypt is slow (that's a good thing, makes rainbow tables creation a very costly). bcrypt速度很慢(这是一件好事,这使得Rainbow表的创建非常昂贵)。 You can configure bcrypt with a variable amount of rounds to scale with whatever hardware you are using (more rounds = slower). 您可以使用可变的回合数量来配置bcrypt ,以根据所使用的任何硬件进行扩展(更多回合=较慢)。 Also, it automatically handles salt generation, a different salt per hash (which makes a rainbow table attack close to impossible, due to the slow nature of bcrypt and the fact that it would take a full rainbow table per password). 此外,它会自动处理盐生成,即每个哈希不同的盐(由于bcrypt的缓慢特性以及每个密码将占用完整的彩虹表这一事实,彩虹表攻击几乎是不可能的)。
A Java implementation of bcrypt is available at jBCrypt . 在jBCrypt可以使用bcrypt的Java实现。
解决方案3
0 2011-03-16 03:44:37
You are going to face the wrath of, lot of self proclaimed security gurus, for asking an question like this. 您将面对许多自称为安全专家的愤怒,因为他们提出这样的问题。 I myself, is not a security expert, but feel myself qualified enough to put forth some suggestions, driven by common sense. 我本人不是安全专家,但是我觉得自己有足够的资格提出一些建议,这些建议是基于常识的。 Depending on how secure you want your application to be, there are various methodologies. 根据您希望应用程序具有多高的安全性,可以使用多种方法。
1- Most of the attacks happen when you transfer credentials over wire. 1-大多数攻击是在您通过网络传输凭证时发生的。 (Man in the middle stuff). (中间人)。 So you need to make sure that the transfer of username and password should be made secure. 因此,您需要确保用户名和密码的传输安全。 (ssl or HTTP Digest). (ssl或HTTP摘要)。 If security is very important, then you should explore if the username \\ password need to be passed at all. 如果安全性非常重要,则应探讨是否完全需要传递用户名\\密码。 ( by using some token based authentication like Oauth instead of username and password) (通过使用基于令牌的身份验证(例如Oauth)代替用户名和密码)
2- In case, if you decide to pass in username and password, you need to reduce the lifetime of the password string, in your application scope. 2-如果您决定传入用户名和密码,则需要在应用程序范围内缩短密码字符串的生存期。 Of course the best method is to implement a authentication filter based on a mechanism like LDAP. 当然,最好的方法是基于LDAP之类的机制来实现身份验证过滤器。 Most LDAP store, will allow you to store encrypted password and will allow you to perform authentication by binding.( so your application will never worry abt authentication and storing) 大多数LDAP存储都将允许您存储加密的密码,并允许您通过绑定执行身份验证。(因此您的应用程序将永远不必担心abt身份验证和存储)。
3- In case if you do bring your password to your application tier, of course you still need to reduce the lifetime of your plaintext password and encrypt using some secure hashing algorithm. 3-如果确实将密码带到应用程序层,则当然仍然需要减少纯文本密码的生存期,并使用一些安全的哈希算法进行加密。 But this approach and storing the password in your database (even in encrypted form) is not all that safe. 但是这种方法和将密码存储在数据库中(即使是加密形式)也不是那么安全。 ( especially, since you are storing the password, someone can circumvent your security layer) (尤其是,由于您正在存储密码,因此有人可以绕过您的安全层)
So to summarize, based on the amount of security you need, you need to ask yourself the following question. 因此,总而言之,根据您需要的安全性,您需要问自己以下问题。
1- Should you need to send username / password? 1-您需要发送用户名/密码吗?
2- Can you make sure that the password cannot be sniffed over the network? 2-您能确定不能通过网络嗅探密码吗?
3- Can you not delegate your authentication to a front filter, rather than bringing on to your application tier? 3-您不能将身份验证委派给前端过滤器,而不是进入应用程序层吗?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.