HTTPS URL中的用户名和密码是否安全? [英] Is username and password in HTTPS URL secure?

问题描述

我正在向我的URL https://username:password@example.com 发送POST请求.脚本.我知道HTTPS会对凭据进行加密，因此它们不应在网络上可见.

I am sending POST request to URL https://username:password@example.com in my script. I know that HTTPS encrypts credentials so they should not be visible on network.

但是服务器日志呢，在那里可以看到它们吗?

But what about server logs, will they be visible there?

使用这种方法还有其他缺点吗?

Are there any other disadvantages of using this approach?

如何在客户端/服务器端使身份验证更安全?

How can I make authentication more secure on client/server side?

推荐答案

您可以在此处找到更多信息:是否对HTTPS URL进行了加密?(tl:发送电子邮件的方式最有可能不是加密的，但是您可以将凭据作为URL参数发送，从而对其进行加密).

You can find more information here: Are HTTPS URLs encrypted? (tl;dr: the way you are sending it is not encrypted most probably, but you can send the credentials as URL parameters instead, to make it encrypted).

接下来，如果您已开发服务器/受控服务器，则由您决定是否保留日志.如果不确定，可能会有日志.使用密码(尤其是纯文本，但不仅是纯文本)来保存日志不是一个好习惯.

Next, if you have developed the server/are in control, it is up to you to decide whether to keep logs or not. If you are unsure, there might be logs. Keeping logs with (plaintext especially, but not just) passwords is not a good practise.

服务器不应以明文形式存储密码.取而代之的是，密码应该与一些随机的盐一起存储(更多信息，请参见: https://security.stackexchange.com/questions/51959/why-are-salted-hashhes-hashes-more-secure-for-password-storage )，它们还增加了一些额外的CPU时间(〜100ms)，从而延迟了攻击者正在尝试进行蛮力攻击，因此应优先使用它们(感谢 zaph 进行更新).

The server should not store passwords in plaintext. Instead, the password should be stored along with some random salt (more information here: https://security.stackexchange.com/questions/111893/how-to-use-password-salt-the-right-way), not in a plaintext form. One way functions such as PBKDF2, Rfc2898DeriveBytes, Argon2, password_hash or Bcrypt can be used for example. These have the advantage over salted hashes (https://security.stackexchange.com/questions/51959/why-are-salted-hashes-more-secure-for-password-storage), that they also add some extra CPU time (~100ms), delaying an attacker who is attempting a brute-force attack, thus they should be preferred (thanks zaph for the update).

通常，如果服务器受到威胁，则读取日志只是攻击者获取用户信息的一种方式.一旦您已经使用SSL且不将凭据作为域名的一部分发送(因此，以纯文本格式)，则增强身份验证安全性就可以将攻击者拒之门外.必须使用加盐的哈希值(这样，在发生泄露的情况下，用户密码仍然是安全的)，从那以后，这实际上取决于您的预算.完美的安全性是不可能的，但是您采取的对策越多，服务器遭受破坏的可能性就越大.但这是一个巨大且值得商bat的话题，无法在StackOverflow答案中进行总结.

In general, if the server gets compromised, reading the logs is just one way for the attacker to get user information. Enhancing the authentication security is closely related to keeping attackers off your servers, once you are already using SSL and not sending credentials as part of the domain name (thus, in plaintext). Using salted hashes is a must (so that in case of a breach the user passwords remain secure), and from that point on it really depends on your budget. Perfect security is not possible, but the more countermeasures you put in place, the harder it might be for your server to get compromised. But this is a huge and very debatable topic, that cannot be summarised in a StackOverflow answer.

编辑:已更新，以修正基于 zaph '的当前密码存储最佳做法.的评论.

Updated to fix current best practise for password storing, based on zaph's comment.

这篇关于HTTPS URL中的用户名和密码是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！