堆栈内存溢出
  简体   繁体   English

在php中传输用户密码的安全方法

[英]secure way to transfer user passwords in php

 原文  2012-03-17 17:08:47       c#/ php/ encryption/ public-key-encryption/ password-encryption

问题描述

Hi I am googling these days to find a better way to send user info(including password) through the internet. 嗨,我这几天谷歌搜索找到一个更好的方式来通过互联网发送用户信息(包括密码)。 Our servers don't have SSL installed. 我们的服务器没有安装SSL。 so need a very simple and secure method to send user info. 所以需要一种非常简单安全的方法来发送用户信息。 In future my boss want to expand it to connect with desktop applications written in .net(C#). 将来我的老板想要扩展它以连接用.net(C#)编写的桌面应用程序。 so the methods should be compatible with .net also. 所以这些方法也应该与.net兼容。 I need a advice or any thing that I can get a good idea for developing a better solution. 我需要一个建议或任何我可以为开发更好的解决方案的好主意。

4 个解决方案

解决方案1
 4 已采纳  2012-03-17 17:18:42

Some thoughts: 一些想法:

  1. Use TLS/SSL. 使用TLS / SSL。 Really. 真。 A web server certificate can be obtained for free these days. 这些天可以免费获得Web服务器证书。
  2. Use TLS/SSL. 使用TLS / SSL。 I really mean it. 我真心的。 Don't be naive thinking that you can do a home brew solution, no matter which complex encryption algorithm you can imagine, that can outperform the legacy secure and easy of implementation as TLS/SSL is. 不要天真地认为你可以做一个家庭酿造解决方案,无论你能想象哪种复杂的加密算法,都可以胜过传统的安全和易于实现的TLS / SSL。
  3. To solve a scenario with web clients and desktop clients, you should take a look at OAuth . 要解决使用Web客户端和桌面客户端的方案,您应该查看OAuth

解决方案2
 1  2012-03-17 17:14:02

If you mean sending the password from a login form to the server in a secure way, there is nothing better than SSL. 如果您的意思是以安全的方式将登录表单中的密码发送到服务器,那么没有比SSL更好的了。 You could try implementing a system like Public key encryption, but I think it would be easier to enable SSL... 您可以尝试实现公钥加密等系统,但我认为启用SSL会更容易......

To store the passwords, simply use an encryption function like sha1 要存储密码,只需使用sha1等加密函数即可

If you mean authenticating users in a desktop application you could implement oauth for example, which is not very hard and provides a very safe way of doing so. 如果您的意思是在桌面应用程序中对用户进行身份验证,那么您可以实现oauth ,这不是很难,并提供了一种非常安全的方法。

解决方案3
 1  2012-03-17 17:54:42

This approach is called Digest authentication and quite easy to implement. 这种方法称为摘要式身份验证 ,非常容易实现。

However, to use it you have to store passwords in plain text, you can't use it with hashes. 但是,要使用它,您必须以纯文本形式存储密码,不能将其与散列一起使用。
Which, in my point of view, makes it completely impossible to use. 在我看来,这使得它完全不可能使用。

解决方案4
 0  2012-03-17 17:13:35

1 curl (simple) 1卷曲(简单)
2 md5 encryption POST method 2 md5加密POST方法
3 web service (complex) 3网络服务(复杂)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将密码存储在cookie中是否安全? - Is it secure to store passwords in cookies? 使用 GetHashCode 来“保护”用户密码 - Using GetHashCode to “secure” users passwords web 应用程序用户身份验证的最安全方式 - Most secure way for web application user authentication 安全的json数据传输? - secure json data transfer? 如何确保密码安全? - How do I keep my passwords secure? 将散列应用于应用程序内生成的安全密码 - Apply hashing to secure passwords generated within the app 没有用户名和密码的用户身份验证 - User Authenication without usernames and passwords 比较散列密码的正确方法 - The right way to compare hashed passwords static RNGCryptoServiceProvider - 生成会话和随机密码是否安全且线程安全? - static RNGCryptoServiceProvider — Is it secure & threadsafe for generating sessions and random passwords? 正在使用RijndaelManaged对象来保护密码足够安全以及将密钥存储在何处 - Is using RijndaelManaged object to secure passwords enough and where to store keys
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM