一般密码问题 [英] General Password questions

问题描述

我在wxPython中创建一个对话框，用于登录

目的。基本上当用户点击ok

按钮时，对话框会将用户名和

密码保存为类属性。然后只要

对话框存在，调用MyDialog.GetUserName（）和

MyDialog.GetPassword（）返回它们。这似乎对我来说是不安全的。有没有更好的方法来实现这个

或者是否安全，只要我尽快销毁对话框

，因为我完成了它？


在类似的说明中，我想将密码保存到

文件中。如何加密密码？我假设直接

二进制文件太容易进行逆向工程，虽然我的

程序并没有真正保存任何重要信息所以

它可能是可以接受的。任何想法或链接都会非常感激。


提前致谢，

Todd A. Johnson


__________________________________

你是雅虎！？

Yahoo! SiteBuilder - 免费，易用的网站设计软件
http://sitebuilder.yahoo .com

I am creating a dialog in wxPython for log in
purposes. Basically when the user clicks the ok
button, the dialog box saves the user name and
password as class attributes. Then as long as the
dialog exists calling MyDialog.GetUserName() and
MyDialog.GetPassword() returns them. This seems
insecure to me. Is there a better way to go about this
or is it safe as long as I destroy the dialog as soon
as I am done with it?

On a similar note, I want to save the password to a
file. How do I encrypt the password? I assume straight
binary is too easy to reverse engineer though my
program isn''t really saving any vital information so
it may be acceptable. Any ideas or links would be very
appreciated.

Thanks in advance,
Todd A. Johnson

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

推荐答案

Todd Johnson写道：

Todd Johnson wrote:

我在创建在wxPython中用于登录
目的的对话框。基本上当用户单击ok
按钮时，该对话框将用户名和密码保存为类属性。然后只要存在
对话框，调用MyDialog.GetUserName（）和
MyDialog.GetPassword（）就会返回它们。这似乎对我来说不安全。


为什么你觉得它不安全？

在类似的说明中，我想将密码保存到
文件中。如何加密密码？

I am creating a dialog in wxPython for log in
purposes. Basically when the user clicks the ok
button, the dialog box saves the user name and
password as class attributes. Then as long as the
dialog exists calling MyDialog.GetUserName() and
MyDialog.GetPassword() returns them. This seems
insecure to me.
Why do you feel it''s insecure?
On a similar note, I want to save the password to a
file. How do I encrypt the password?

你不加密密码，你可以哈希。这意味着使用

加密强哈希算法，如SHA或MD5

并存储结果值。之后，当用户输入

a密码时，您要检查正确的密码，您需要在测试密码上运行相同的哈希算法并比较

存储结果的结果。哈希算法被设计为
，因此对于给定哈希值对应的

密码进行反向工程计算是不可行的，使其成为关于

和存储真实物品一样好，而且不会出现不安全因素。

这种方法。幸运的是，这些算法已经为你实现了，所以你不需要处理复杂的事情。


但是，注意某人的可能性感兴趣的是

破解整个系统可以很容易地做一些事情，比如改变Python源代码，或修改包含

哈希值的密码文件，用他们自己预先计算的哈希代替他们希望输入的密码。


假设你只是想防止偶然入侵和
那里真的没有任何有价值的东西，使用

sha或md5模块的简单哈希可能会很好。当然，在这个

点，我完全可以期待十几个有更多安全背景的人开始踩踏这个建议并告诉你

它有多糟糕，但我活着为人们提供那种机会。 ;-)


我鼓励您通过搜索

网络或其他内容来了解​​更多信息。无论您目前的专业水平如何，花在学习安全问题上的时间总是会自行偿还...


-Peter

You don''t encrypt passwords, you hash them. That means use a
cryptographically strong hashing algorithm such as SHA or MD5
and store the resulting value. Later, when a user has entered
a password which you want to check against the correct one, you
run the same hash algorithm on the password-under-test and compare
the result with the stored result. The hash algorithm is designed
so that it''s computationally infeasible to reverse-engineer a
password that corresponds to a given hash value, making it about
as good as storing the real thing without the insecurity in
that approach. Luckily, these algorithms are already implemented
for you so you don''t need to deal with the complexities.

Note, however, the likelihood that somebody interested in
cracking this whole system could easily do things like change
the Python source, or modify the password file that contains the
hash value, substituting their own pre-calculated hash which
matches the password they wish to enter.

Assuming you are just trying to prevent casual intrusion and
there''s really nothing valuable involved, a simple hash using
the sha or md5 module would probably do fine. Of course, at this
point I fully expect a dozen people with more background in
security to start stomping all over this advice and tell you
how wrong it is, but I live to provide people with that kind of
opportunity. ;-)

I encourage you to learn more about this, too, by searching the
web or something. Time spent studying security issues will always
repay itself, no matter your current level of expertise...

-Peter

2003年9月22日星期一19:32:50 -0400，Peter Hansen写道：

On Mon, 22 Sep 2003 19:32:50 -0400, Peter Hansen wrote:

Todd Johnson写道：

Todd Johnson wrote:

在类似的说明中，我想将密码保存到
文件中。如何加密密码？

On a similar note, I want to save the password to a
file. How do I encrypt the password?

你不加密密码，你可以对它们进行哈希处理。这意味着使用
加密强哈希算法，如SHA或MD5
并存储结果值。之后，当用户输入了您想要检查正确密码的密码时，您在被测密码上运行相同的哈希算法并将结果与​​结果进行比较。存储结果。
[...]
-Peter

You don''t encrypt passwords, you hash them. That means use a
cryptographically strong hashing algorithm such as SHA or MD5
and store the resulting value. Later, when a user has entered
a password which you want to check against the correct one, you
run the same hash algorithm on the password-under-test and compare
the result with the stored result.
[...]
-Peter

彼得，

如果我愿意怎么样重新加载输入的密码？

我写了一个电子邮件客户端，我还没有办法存储用户第一次输入的密码

重新启动程序时使用它。

我不想每次都向用户询问帐户密码，而且还要

我不想将它存储为纯文本。

你知道这些情况下通常的做法是什么吗？


谢谢，

Riccardo


-

- = Riccardo Galli = -


_，e。

s~``

~ @。 ideralis计划

.. ol

` **〜 http://www.sideralis.net

Riccardo Attilio Galli写道：

Riccardo Attilio Galli wrote:

周一，22日2003年9月19:32:50 -0400，Peter Hansen写道：

On Mon, 22 Sep 2003 19:32:50 -0400, Peter Hansen wrote:

Todd Johnson写道：

Todd Johnson wrote:

在类似的说明中，我想要将密码保存到
文件。如何加密密码？

On a similar note, I want to save the password to a
file. How do I encrypt the password?

你不加密密码，你可以对它们进行哈希处理。这意味着使用
加密强哈希算法，如SHA或MD5
并存储结果值。之后，当用户输入了您想要检查正确密码的密码时，您在被测密码上运行相同的哈希算法并将结果与​​结果进行比较。存储的结果。
[...]

You don''t encrypt passwords, you hash them. That means use a
cryptographically strong hashing algorithm such as SHA or MD5
and store the resulting value. Later, when a user has entered
a password which you want to check against the correct one, you
run the same hash algorithm on the password-under-test and compare
the result with the stored result.
[...]

如果我要重新加载输入的密码怎么办？
我写了一个电子邮件客户端，我没有'找不到存储密码的方法
用户第一次进入并在程序重启时使用它。
我不想每次都要求用户输入密码，还有
我不想把它作为纯文本存储。
你知道这些情况下通常的做法是什么吗？

what about if I would reload an entered password?
I wrote an e-mail client, and I haven''t found a way to store the password
that an user enter the first time and use it when the program is restarted.
I don''t want to ask to the user every time the account password, but also
I don''t want to store it as plain text.
Do you know what is the usual practice in these cases?

尽管我能理解你的问题，但我提供的方法

解决了所有这些问题。你需要在网上对这个

的东西进行一些研究，或者做一些实验，然后才能理解

它可能会使用它。


简而言之，这就是重点：你从不使用明文形式的

密码。输入后，将其转换为哈希值。你支持
存储哈希值，如果用户以后输入密码而你需要检查它，你可以将*它*转换为哈希并比较哈希值。从来没有，b / b
，存储或比较纯文本密码。这有帮助吗？


-Peter

As near as I can understand your questions, the approach I provided
solves all these issues. You need to do a little research into this
stuff on the web, or do some experimentation, before you''ll understand
it well enough to use it, perhaps.

In a nutshell, this is the point: you never use the plaintext form of
the password. As soon as it is entered, you convert it to a hash. You
store the hash, and if a user later enters a password and you need to
check it, you convert *it* to a hash and compare the hashes. Never,
ever, store or compare plain text passwords. Does that help?

-Peter

这篇关于一般密码问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！