简体繁体 English

在数据库上存储用户的数据库密码。使用应用程序用户密码作为加密的好方法吗？

[英]Storing database passwords of users on a database. Is using the application user password as a salt for encryption a good approach?

原文 2013-01-22 00:34:05 9 1 database/ security/ encryption

The application is not finished yet, and for now the passwords and databases information is just encrypted in the database, and decrypted on the application with a key. 该应用程序尚未完成，目前，密码和数据库信息只是在数据库中加密，并使用密钥在应用程序上解密。

But I was thinking, if I could save the database information on an encrypted table, one entry for each combination of user-database, and such information is encrypted using the hashed user password as salt (not the same hash as in the users table, of course). 但是我当时在想，如果我可以将数据库信息保存在一个加密的表中，则为每个用户数据库组合保存一个条目，并且使用散列的用户密码作为salt对此类信息进行加密（与用户表中的散列不同，当然）。 So if an attacker somehow manage to get his hands on the database or the application it still couldn't read all the databases passwords, because it would need the password of an user with access to such database. 因此，如果攻击者设法以某种方式设法使用数据库或应用程序，它仍然无法读取所有数据库密码，因为它将需要具有访问该数据库权限的用户的密码。

And my idea was that when the user logs in, his password is hashed (as in the database salt), and saved as a cookie with a short lifespan to use it while the user is connected. 我的想法是，当用户登录时，他的密码被散列（如在数据库salt中一样），并保存为寿命短的Cookie，以便在用户连接时使用它。

Although I was thinking, if the attacker gains execution on my application, he could still have access to the cookies of connected users with each request. 尽管我在想，但如果攻击者在我的应用程序上获得执行，他仍然可以在每次请求时访问连接的用户的cookie。

The other drawback is that the user couldn't reset the password, because if he did he couldn't decrypt the password to access the databases. 另一个缺点是用户无法重置密码，因为如果这样做，他将无法解密密码以访问数据库。

So, what are your thoughts of this? 那么，您对此有何看法？ Is this a good approach? 这是一个好方法吗？ What would you do? 你会怎么做？

1 个解决方案

There is a misconception here. 这里有一个误解。 Cryptography alone cannot protect your entire business/company/data. 单靠密码技术无法保护您的整个企业/公司/数据。

When you encrypt a data and users always decrypt and use those data, you cannot relay on it, because if you let a hacker get access to your server, hacker will be able to decrypt data like other users. 当您加密数据并且用户始终解密并使用这些数据时，您将无法继续传输数据，因为如果让黑客获得对服务器的访问权限，黑客将能够像其他用户一样解密数据。

For protecting data you have to take other measures, measures like: 为了保护数据，您必须采取其他措施，例如：

Analyzing your web application code, prevent all type of SQL injections, code executions, LFIs, RFIs, XSSes, etc. 分析您的Web应用程序代码，防止所有类型的SQL注入，代码执行，LFI，RFI，XSS等。
Analyze your database access list. 分析您的数据库访问列表。 Do not let your database server become accessible for foreign IPs, even if user knows username/password. 即使用户知道用户名/密码，也不要让外部IP可以访问您的数据库服务器。 Protect databases with proper access lists. 使用正确的访问列表保护数据库。 If most parts of pages doesn't enter data in tables and just do select query, ONLY grant SELECT permission to a user and define this user/pass for SQL queries. 如果页面的大多数部分没有在表中输入数据，而只是选择查询，则仅向用户授予SELECT权限，并为SQL查询定义该用户/密码。
Always keep your server softwares update. 始终保持服务器软件更新。 It could be Server OS, web server app or web app itself. 它可能是服务器操作系统，Web服务器应用程序或Web应用程序本身。

You can protect your data/server with above methods, I don't think overally encrypting always in use users database being encrypted is a good idea. 您可以使用上述方法保护您的数据/服务器，我不认为始终对使用中的用户数据库进行全面加密是个好主意。 It will reduce the speed/performance and will not help you to prevent from being hacked. 它将降低速度/性能，并且不会帮助您防止被黑客入侵。