将输入密码与Web应用程序中存储的哈希密码进行比较 [英] Comparing input password to stored hashed password in a web app
问题描述
在阅读了这个美丽的问题之后:为什么char []优于密码字符串?,我很好奇它如何应用于基于servlet的Web应用程序.假设您的用户界面有一些输入密码的字段,则可以使用request.getParameter("passwordFieldName")检索密码,该密码将返回String.即使随后将其转换为char[],也必须等待GC清除String对象.
After reading this beautiful question: Why is char[] preferred over String for passwords?, I'm curious as to how this applies to servlet based web applications. Say your UI has some input field for the password, the password will be retrievable with request.getParameter("passwordFieldName") which returns a String. Even if you then convert it to a char[], you have to wait for GC to clear the String object.
此外,我正在寻找用于密码哈希的许多加密/哈希库都具有类似checkPassword(plaintext, hashed)的方法,该方法采用两个String,如果输入的纯文本字符串给出的哈希等于hashed,则返回true. .这样,即使您有char[],您仍然需要使用new String(char[])构造函数将数组转换为String.
Also, many of the Encryption/Hashing libraries I'm looking into using for password hashing have a method such as checkPassword(plaintext, hashed) that takes two Strings and returns true if the entered plain text string gives a hash equal to hashed. With this, even if you had a char[], you would still need to convert the array to a String with the new String(char[]) constructor.
在我看来,您真的无法避免将密码作为字符串与它的存储表示形式进行比较.如果您担心在那个小窗口中受到攻击,那么如何保护自己?
It seems to me like you can't really avoid having your password as a String for comparing it to its stored representation. If you are worried about attacks during that small window, how do you protect yourself?
推荐答案
这是反应过度,实际上只是安全区".实际上,在任何情况下,攻击者都不希望在Java应用程序中使用长字符串作为密码.如果您担心内存耗尽攻击,请不要在任何地方使用字符串.
This is an overreaction and really just "security theater". There is really no scenario in which having a long String as a password in a Java application would be at all desirable to an attacker. If a memory exhaustion attack is a concern, then don't use Strings anywhere.
话虽如此, CWE-521 指出密码必须具有最大大小.字符串实际上没有最大大小,使用char[x]是强制最大大小的好方法.
That being said CWE-521 states that passwords must have a max size. Strings don't really have a max size, and using a char[x] is a good way of enforcing a max size.
这篇关于将输入密码与Web应用程序中存储的哈希密码进行比较的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
