加密数据库密码字段有多必要 [英] How necessary is it to Encrypt database password field
问题描述
我听说出于安全考虑,建议在数据库中对密码字段进行加密.
I heard that for security issues it is advised to keep the password field encrypted in the database.
如果只有我的网站,我可以访问数据库.根据我们的网站政策,我可以查看其他人的密码.
In case of my website only I can access the database. And I have no problem with me viewing others passwords as per our web site policy.
这是否也适用于我的网站,或者背后有其他一些安全原因.
Does this applicable to my website too OR there is some other security reason behind telling this.
推荐答案
指导甚至用户自己 - 应该能够看到密码,并且它们不应该以允许检索它们的方式存储在数据库中.这是因为这些数据可能会以多种方式丢失——管理员可以打印一份报告,并将其留在办公桌上;攻击者可能能够使用 SQL 注入来运行数据库查询;有人可能会闯入您的建筑物并窃取备份磁带.
The guidance is that nobody - not even the user themselves - should be able to see passwords, and that they should not be stored in the database in a way that allows them to be retrieved. This is because there are many ways in which this data can get lost - an administrator may print out a report, and leave it on their desk; an attacker might be able to use SQL injection to run database queries; someone may be able to break into your building and steal a backup tape.
许多客户在多个网站上使用相同的密码 - 因此,如果您的网站是最薄弱的环节,那么如果他们重复使用了他们的密码,您可能会让他们在其他网站上面临风险.
Many customers use the same password on multiple sites - so if your sites is the weakest link, you may be exposing them to risks on other sites if they have re-used their passwords.
推荐使用一种叫做散列"的加密技术,它把明文密码变成一个无意义的字符串;没有办法反转散列,这意味着即使我偷了散列密码,我也无法弄清楚原始的纯文本是什么.
The recommendation is to use a cryptographic technique called "hashing", which takes the plaintext password and turns it into a meaningless string; there's no way to reverse the hash, which means that even if I stole the hashed password, I couldn't work out what the original, plain text was.
对同一个字符串进行两次散列会得到相同的散列值——因此,当有人登录时,您对他们的明文密码进行散列处理,并将其与数据库中的散列值进行比较.
Hashing the same string twice gives the same hash - so when someone logs in, you hash their plaintext password, and compare it to the hash in the database.
OWASP 链接提供了有关此主题的更多信息,包括加盐"散列.
The OWASP link provides further information on this topic, including "salting" the hash.
这篇关于加密数据库密码字段有多必要的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
