像Meebo这样的网站如何存储用户名和密码? [英] How do sites like Meebo store usernames and passwords?

问题描述

我最近使用了 Meebo ，我必须承认我对输入IM登录信息有点偏执进入这样的网站.他们如何为每个单独的IM服务存储我的用户名和密码?只有当网站使用我的密码并对其执行某种不可逆的单向功能时，我才会感到很自在，但是Meebo似乎必须以一种可以随时检索它们的方式来存储我的密码，以便于自动登录到它们支持的单独的IM服务中.我对此感到偏执是否合理?

I recently used Meebo and I must admit I'm a little paranoid about typing my IM login information into a site like this. How do they store my username and password for each of the separate IM services? I only feel comfortable when a site takes my password and does some type of irreversible, one-way function on it, but it seems that Meebo would have to store my passwords in a way that they could retrieve them at anytime in order to facilitate the automatic logon into the separate IM services they support. Am I justified in being paranoid about this?

我从 Meebo的隐私政策:

第三方IM服务用户名和密码.通过Meebo，您可以通过Meebo登录您的帐户来访问第三方IM服务(第三方IM服务").为了访问您的第三方IM服务帐户，您必须在Meebo服务上输入适用的用户名和密码.要使用网站上的基本IM服务，Meebo不会在我们的服务器上存储您的第三方IM服务帐户的密码. 如果您希望利用服务的高级功能(例如自动登录)，则可能需要存储密码.

杰夫·阿特伍德(Jeff Atwood)早在本文中就此主题发布过:请给我们您的信息电子邮件密码.

Jeff Atwood posted on this topic a while back in this article: Please Give Us Your Email Password.

推荐答案

1. Meebo to Piskvor:给我您的IM密码，我将为您登录.
2. 对Meebo的Piskvor:是"12345".
3. 与我聊天的Meebo:您好，我是"Piskvor"；为了证明这一点，我的密码是"12345"
4. IMe Meebo:您好，您的确是"Piskvor"；用户平均值"还会向您发送一条消息.
5. Meebo到Piskvor:平均"用户向您显示一条消息.
6. (等)

记下第2行和第3行.要执行第3行，Meebo需要输入密码. (除非IM提供程序与Meebo之间有合作(这是可能的，但不太可能)，但在这些行之间的某个点上，它具有您的纯文本密码.

Take note of lines 2 and 3. In order to do #3, Meebo needs your password; (unless there's some cooperation between the IM provider and Meebo (which is possible but unlikely)) it has, at some point between those lines, your plaintext password.

恭喜，您不再拥有对IM帐户的完全控制权；就IM服务而言，Meebo 是您.

Congratulations, you no longer have complete control over your IM account; as far as the IM service cares, Meebo is you.

换句话说:您是否相信Meebo不会滥用您的密码?您信任Meebo保护您的密码吗?您是否相信Meebo不会被黑客入侵并且密码会被盗? 据我所知，没有办法说出来(除非你是Meebo，而你不是).

In other words: do you trust Meebo not to abuse your password? Do you trust Meebo to protect your password? Do you trust that Meebo won't be hacked and your password stolen? As far as I see, there's no way to tell (unless you're Meebo, which you're not).

可以归结为:您相信Meebo的承诺吗?

这是我的$ 0.02:方便吗?查看.太不安全了?检查.

Here's my $0.02: Convenient? Check. Horribly insecure? Check.

哦，要回答标题中的问题:最佳做法是加密密码，不要在任何地方保留明文(超过绝对必要的时间)".但是，我看到了太多带有明文密码字段的数据库.在某些事情真的发生不好之前，一些企业显然将加密视为工作上的浪费. Meebo吗?我无话可说.

Oh, and to answer the question in the title: best practice would be "encrypt the password, don't keep the plaintext anywhere (any longer than absolutely necessary)". However, I've seen too many databases with plaintext password fields; some businesses apparently see encryption as waste of effort until Something Really Bad Happens. Does Meebo? I don't have a way to tell.

这篇关于像Meebo这样的网站如何存储用户名和密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！