安全存储无法加密的凭据 [英] Securely storing credentials that can't be encrypted
问题描述
我有一个客户端正在运行来自多个帐户的信息聚合器。数据库需要存储在以后可以通过脚本用来登录到这些网站中检索数据的方式与其他网站的用户名和密码。
I have a client that's running an aggregator of information from multiple accounts. The database needs to store usernames and password to other websites in a way that can be used later by a script to log into those websites to retrieve data.
而不是存储它们作为纯文本,我想我们可以哈希他们的存储。显然,如果有权访问代码和数据库,有人仍然可以访问纯文本版本,但如果他们只有一个或另一个,则不能访问。
Rather than store them as plain text, I'm thinking we can hash them for storage. Obviously, someone could still access the plain text version if they had access to both the code and the database, but not if they only had one or the other.
想法?
推荐答案
如果你的系统有一个密码,你可以用它来生成一个密钥来加密/解密密码的其他网站。
If your system has a password, you can use it to generate a key to encrypt/decrypt the passwords for the other websites.
这样,您需要您的用户输入该密码才能解密您在数据库上的密码。
With that, you require your user entering that password to be able to decrypt the passwords you have on your database.
更详细的流程:
- 用户在登录系统时输入密码123456。
- 您使用密码123456的SHA256和一键搞定:8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
- 使用了8d969 ......键,使用AES解密您数据库中网站的密码。
您可以通过多种方式进行修改。例如:腌制计算SHA散列前的密码
You can refine this in a number of ways. For instance: salting the password before computing the SHA hash.
作为盐析等实际样品的迈克尔建议使用 PBKDF2 ,提供的 HMAC - SHA-256 作为其两个参数伪随机函数。
As a practical sample on such salting, Michael suggest using PBKDF2 with HMAC−SHA-256 as its two parameters pseudo random function.
其他增强:存储密钥的加密版本,更改自己的密码,而不必重新加密他的所有密码... etc ...
Other enhancement: storing an encrypted version of the key to allow your user to change its own password without having to re-encrypt all his passwords... etc...
这篇关于安全存储无法加密的凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
