从python访问散列的mysql密码 [英] Access hashed mysql password from python
问题描述
这似乎有些琐碎,但是我花了一些时间在谷歌上搜索,但没有结果.无论如何,我正在开发一个Web应用程序,我需要将敏感"数据存储在mysql数据库中,然后访问它以对来自python的api调用进行身份验证.我不是安全专家,但是我对哈希和加密有基本的了解.
我知道如何使用aes_decrypt aes_encrypt加密数据,并且我也知道如何使用mysql提供的password()函数对数据进行哈希处理.
我的第一个问题是我应该对该数据进行加密还是对其进行哈希处理?我的第二个问题是,一旦我在mysql中使用password()函数对其进行哈希处理,就不知道如何在python中访问"或使用"密码信息.
我们非常感谢您的帮助.
首先,我不是python专家,我的回答只针对通用方法.
Web应用程序中的密码通常以散列形式存储,而不是加密,因此,如果您的表被盗用,这基本上会使某人更难获得它们.散列应尽可能地坚实.请不仅仅是MD5,最好使用更安全的东西(从今天的角度来看),并对其进行适当的撒盐处理,以最大程度地减少彩虹袭击的风险.
我不会使用MySQL
PASSWORD()函数由MySQL中的身份验证系统使用 服务器;您不应在自己的应用程序中使用它.为了那个原因 目的,请考虑 MD5()或<而是使用href ="http://dev.mysql.com/doc/refman/5.6/en/encryption-functions.html#function_sha2" rel ="nofollow noreferrer"> SHA2().
这留下了 SHA2() ,如果您想使用MySQL进行哈希处理,尽管不要忘记在哈希处理前先对字符串加盐.我的方法是使用应用程序对字符串进行哈希处理(请参见 python hashli b供参考),像这样加盐,然后将哈希存储在数据库中.这样可以避免应用程序和数据库服务器之间的数据安全性问题.
This seems somewhat trival but I have spent a bit of time googling with no results. Anyways I am developing a web app and I need to store 'sensitive' data in a mysql database and then access it to authenticate api calls from python. I am no security expert but I have a basic understanding of hashing and encrypting.
I know how to encrypt the data with aes_decrypt aes_encrypt and I also know how to hash the data using the password() function supplied by mysql.
My first question is should I be encrypting this data or hashing it? My second question is I do not know how to 'access' or 'use' the password information in python once I hash it using the password() function in mysql.
Any help is much appreciated.
Firstly I am no python expert, my answer is only aimed for a general approach.
Passwords in web applications are usually stored as hashes, not encrypted, this basically makes it harder for someone to get them if your table is compromised. Hashes should be generated as solid as possible. Please do not just a MD5, better use something more secure (from todays perspective) and salt it properly to minimize the risk of rainbow attacks.
I wouldn't use the MySQL Password() function for this. The documentation says:
The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA2() instead.
This leaves SHA2(), if you want to hash with MySQL, though don't forget to salt the string before hashing. My way of doing it would be to hash the string with your application (see python hashlib for reference), salt it like this and then just store the hash in the database. This avoids security issues of your data between your application and the database server.
这篇关于从python访问散列的mysql密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
