在桌面应用程序中保护用户密码(Rev 2) [英] Protecting user passwords in desktop applications (Rev 2)

问题描述

我正在创建一个Twitter客户端，并且正在评估保护用户登录信息的各种方式.

I'm making a twitter client, and I'm evaluating the various ways of protecting the user's login information.

重要提示:我需要保护用户数据免受其他应用程序的攻击.例如，想象一下，如果机器人开始四处窃取用户桌面上运行的应用程序中的Twhirl密码或Hotmail/GMail/Yahoo/Paypal，将会发生什么情况.

IMPORTANT: I need to protect the user's data from other other applications. For example imagine what happens if a bot starts going around stealing Twhirl passwords or Hotmail/GMail/Yahoo/Paypal from applications that run on the user's desktop.

澄清:我之前没有使用重要"部分来问这个问题，但是stackoverflow的UI不利于稍后在Q/A对话中添加详细信息.

Clarification: I asked this before without the 'important' portion but stackoverflow's UI doesn't help with adding details later inside the Q/A conversation.

• 哈希显然无法做到
• 以可逆的方式进行混淆就像试图隐藏在我的手指后面
• 纯文本听起来不错，而且可能是混杂的
• 要求用户每次输入密码都会使应用程序厌烦

有什么想法吗?

推荐答案

这是一个问题22.要么让用户每次都输入他的密码，要么不安全地存储(混淆，加密等).

This is a catch-22. Either you make the user type in his password every time, or you store it insecurely (obfuscated, encrypted, whatever).

解决此问题的方法是让更多的操作系统并入内置的密码管理器，例如OS X的Keychain.这样，您只需将密码存储在钥匙串中，操作系统就可以确保其安全性，并且用户只需输入1个主密码即可. OS X上的许多应用程序(例如Skype)都使用Keychain来完全按照您的描述进行操作.

The way to fix this is for more operating systems to incorporate built-in password managers - like OS X's Keychain. That way you just store your password in the Keychain, the OS keeps it secure, and the user only has to type in 1 master password. Lots of applications (like Skype) on OS X use Keychain to do exactly what you are describing.

但是由于您可能正在使用Windows，所以我想说一下混淆和加密.我认为您可能对密码窃取机器人有些偏执；如果您的应用程序没有很大的用户群，那么有人会以它为目标并专门尝试窃取密码的可能性很小.除此之外，他们还必须有权访问受害者的文件系统.如果是这样，他们可能感染了病毒/蠕虫，并且遇到了更大的问题.

But since you are probably using Windows, I'd say just go with some obfuscation and encryption. I think you may be slightly paranoid about the password-stealing-bots; if your application doesn't have a large userbase, odds are pretty low that someone will target it and specifically try to steal the passwords. Besides that, they would also have to have access to their victim's filesystem. If that's the case, they probably have a virus/worm and have bigger problems.

这篇关于在桌面应用程序中保护用户密码(Rev 2)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！