堆栈内存溢出
  简体   繁体   English

在网络主机上存储密码或私钥的最佳方法是什么?

[英]What's the best way to store a password or private key on a web host?

 原文  2012-06-27 18:27:05       c#/ asp.net/ security/ web-hosting

问题描述

I'm not referring to passwords that don't have to be used (such as passwords for other users to my site - in which case I really don't have to store them. See https://stackoverflow.com/a/1054069/939213 .) so simply storing hashes is not an option. 我不是指不需要使用的密码(例如网站上其他用户的密码-在这种情况下,我真的不必存储它们。请参阅https://stackoverflow.com/a/ 1054069/939213 。),因此不能简单地存储散列。

I'm referring to storing passwords to an SQL database and a private key that the software on the shared server has to use. 我指的是将密码存储到SQL数据库和共享服务器上的软件必须使用的私钥。

I assume there's no really secure way to do it. 我认为没有真正安全的方法可以做到这一点。 I just want to know what's the best in this situation . 我只想知道在这种情况下最好的方法

I'm trying to keep them secure from hackers (on the same web host or not). 我试图保护他们免受黑客攻击(无论是否在同一台Web主机上)。 Not from others who have permission to see the files. 并非来自其他有权查看文件的人。

It's ASP.Net codebehind that will be using them. 背后将使用它们的是ASP.Net代码。

2 个解决方案

解决方案1
 3  2012-06-27 18:31:31

The best way to store the password is to not store it. 储存密码的最佳方法是不储存密码。 Use integrated (Windows) authentication to connect to SQL Server. 使用集成(Windows)身份验证连接到SQL Server。 This involves running your IIS app pool as a specific (Windows) user, and granting that user access to log into the database and run the needed queries. 这涉及以特定(Windows)用户身份运行IIS应用程序池,并授予该用户访问数据库的权限并运行所需的查询。

See also SQL Server Integrated Authentication Mode 另请参见SQL Server集成身份验证模式

Aside from being more secure, it performs better. 除了更安全之外,它的性能也更好。 Using per-user connection strings defeats connection pooling. 使用每个用户的连接字符串会使连接池失败。

EDIT: 编辑:

If you absolutely must store the password, then using Encrypted Connection Strings in ASP.NET is the way to go. 如果您绝对必须存储密码,那么可以在ASP.NET中使用“ 加密的连接字符串” This takes care of using DPAPI to store the connection string and machine key correctly, reducing the chance that you screw it up and think you've secured it when you haven't. 这可以确保使用DPAPI正确存储连接字符串和机器密钥,从而减少了拧紧连接和认为自己没有保护它的机会。

Also: Encrypting Connection String in web.config 另外: 在web.config中加密连接字符串

解决方案2
 2 已采纳  2012-06-27 18:42:54

Windows offers the Data Protection API (DPAPI) specifically for this purpose. Windows为此专门提供了数据保护API(DPAPI)。 Look into the ProtectedData class for consuming it from .NET. 查看ProtectedData类以从.NET使用它。

The advantage of DPAPI is that your sensitive data is encrypted based on the Windows user's logon credential, meaning that it is secure unless your Windows account is compromised. DPAPI的优点在于,您的敏感数据是根据Windows用户的登录凭据加密的,这意味着除非您的Windows帐户受到威胁,否则它是安全的。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将密码存储到sql的最佳方法 - Best way to store password into sql 检测和存储 Web 应用程序客户端所在时区的最佳方法是什么? - What is the best way to detect and store the timezone the client of a web app is in? 加密密码的最佳方法是什么? - What is the best way to encrypt a password? WPF,什么是存储要在启动时使用的常量的最佳方法? - WPF, What's the best way to store a constant to be used at startup? 将决策表存储在配置文件中的最佳方法是什么? - What's the best way to store a decision table in a config file? 存储已更改对象的最小差分数据的最佳方法是什么? - What's the best way to store the minimum differential data of a changed object? 存储有限数量的“统计数据”的最佳方式是什么? - What's the best way to store a finite number of "stats"? 储存密码的最佳方法(无数据库或纯文本)? - Best way to store password (no database or plain text)? 将键/值对绑定到asp标签的最佳方法是什么 - What's the best way to bind key/value pair to an asp label 在Windows和Web App中处理数据库升级的最佳方法是什么? - What's the best way to process database upgrades in Windows and Web App?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM