密码检索和存储 [英] Password retrieval and storage
问题描述
在我的应用程序必须做的一再呼吁,需要鉴别web服务。用户不想重复输入鉴别信息(用户名和密码)。
In my application I have to do repeated calls to webservices which require authentification. The users do not want to repeatedly enter authentification information (username and password).
有没有存储密码,至少在应用程序运行的会话长度的安全的方式,所以用户只输入一次数据?
Is there an secure way to store the password at least for the length of the session the application is running, so the user has to enter the data only once?
目前我保留在内存中的密码,进入后对它进行加密和解密它时,它是用于服务调用。但我觉得它有点不舒服。
是这个建议的方式来处理这样的数据?
At the moment I hold the password in memory and encrypt it after entering and decrypt it when it is used for the service call. But I feel somewhat uncomfortable with it. Is this a recommend way to handle that kind of data?
怎么样在数据库中存储密码在多个会话中使用它呢?
是否有处理,一个推荐的方法吗?我听说bcrypt和PBKDF2的。但他们只是为散列目的,来比较输入的密码,而不是使用解密再次输入密码。
What about storing a password in a database to use it in multiple sessions? Is there an recommend way of handling that? I heard of bcrypt and pbkdf2. But they are just for hashing purposes and to compare an entered password against, not to use the "decrypted" password again.
或者,它会是一个更好的方法来使用外部密码缓存,如KeePass的(或任何可使用)。
Or would it be a better approach to use an external password cache, like keepass (or whatever there can be used).
推荐答案
有关内存存储,使用SecureString的类或 NetworkCredentials ,使用SecureString的内部。
For in-memory storage, use SecureString class or NetworkCredentials, that uses SecureString internally.
有关持久性存储,使用加密密码数据保护API 。它将与仅此计算机上当前的Windows用户访问关键加密。
For persistent storage, encrypt the password using Data Protection API. It will encrypt it with the key that is only accessible to current windows user on this computer.
这篇关于密码检索和存储的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
