我在哪里哈希密码?
[英]Where do I hash the password?
问题描述
I'm using MVC and I want to know at which point do I hash the user password: 
我正在使用MVC,我想知道在哪一点上哈希用户密码:
- before sending to the server (view) 在发送到服务器之前(查看)
- in the server, when I set the object field (model) 在服务器中,当我设置对象字段(模型)
- in the server, when I send the object to the controller (controller) 在服务器中,当我将对象发送到控制器(控制器)
- in the server, when I prepare the statements (controller) 在服务器中,当我准备语句(控制器)
- in the database, 在数据库中,
eg using "set password = sha256(:password)" in the statement 例如在声明中使用"set password = sha256(:password)"
I'm kind of confused, I've been always hashing the password when I create the object and set the field "password" but I've read somewhere it's not safe enough. 我有点困惑,我一直在创建对象并设置字段“密码”时对密码进行哈希处理,但我在某处读到了它不够安全。 I'm not sure. 我不确定。
4 个解决方案
解决方案1
3 已采纳 2013-01-18 04:01:12
In the view: This is too high up.
在视图中:这太高了。 There will almost certainly be multiple views in your application which do things with passwords (two simple ones: login form and password change form), and having password hashing in the view would lead to duplication. 您的应用程序中几乎肯定会有多个视图使用密码(两个简单的视图:登录表单和密码更改表单),并且视图中的密码散列会导致重复。 In the database: Too low down.
在数据库中:太低了。 The database should never see plaintext passwords; 数据库永远不应该看到明文密码; doing this could, in some situations, end up sending plaintext passwords over the network, displaying them in error messages, or writing them to database logs. 在某些情况下,执行此操作最终会通过网络发送明文密码,将其显示在错误消息中,或将其写入数据库日志。 Moreover, most of the hash functions supported by databases are too fast to be secure for password storage. 此外,数据库支持的大多数哈希函数太快而不能保证密码存储的安全性。 In the model: Just right.
在模型中:恰到好处。 I'd recommend implementing methods on the user object resembling: 我建议在用户对象上实现类似的方法: $user->setPassword($password) # sets password to specified value $user->passwordEquals($password) # returns true if value passed in matches the passwordNote that none of these methods ever expose the password, or how it's stored -- that's all an implementation detail of the object.
请注意,这些方法都没有公开密码或它的存储方式 - 这都是对象的实现细节。
解决方案2
1 2013-01-18 04:03:16
Hash it on the server, as soon as you can. 尽快将其哈希在服务器上。 ie. 即。 as soon as you receive the request from the client. 一旦收到客户的请求。 You have no business with the original password, really. 你真的没有使用原始密码的业务。 Store the hash, and forget it. 存储哈希,忘掉它。
As a rule of thumb, you should treat passwords or hashes of passwords as hot potatoes: You want to stop handling them as soon as possible. 根据经验,您应该将密码或密码的密码视为热土豆:您希望尽快停止处理它们。
Also, on the off chance that the server process is compromised, you don't want sensitive information lurking in the memory of your server. 此外,如果服务器进程受到威胁,您不希望敏感信息潜伏在服务器的内存中。 That's why you should avoid letting the original password linger in the memory for too long. 这就是为什么你应该避免让原始密码在内存中停留太久。
解决方案3
1 2013-01-18 12:29:09
In the domain object that represents to logic use User entity. 在表示逻辑的域对象中使用User实体。 That's within model layer. 这是在模型层内。
Also, SHA256 should not be considered good enough. 此外,SHA256不应该被认为是足够好的。 Should should be using bcrypt . 应该应该使用bcrypt 。 Preferably with crypt() function. 最好用crypt()函数。
解决方案4
-1 2013-01-18 03:59:21
First get the value in that field. 首先获取该字段中的值。 Then apply the hash function. 然后应用hash函数。 Do the above operations in your controller and then call the model to store in the database. 在控制器中执行上述操作,然后调用模型以存储在数据库中。 It will give you a better understanding. 它会让你更好地理解。
(I'm not an expert... pleasure to share my information.. :) (我不是专家......很高兴分享我的信息.. :)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.