在数据库中存储密码的最佳方式 [英] Best way to store password in database
问题描述
我正在开发一个必须具有身份验证(用户名/密码)的项目
I am working on a project that has to have authentication (user name/pass)
它还连接到数据库,所以我想要存储用户名和密码,但似乎没有这样一个好主意,只有一个文本字段在一个表坐在db上的密码
It also connects to a database so i figured i would store the user name and password there but it seems like not such a good idea to have passwords as just a text field in a table sitting on the db
我使用C#和连接到一个2008 express服务器。任何人都可以建议(尽可能多的例子)什么是最好的方式来存储这种类型的数据?
I'm using C# and connecting to a 2008 express server. can anyone suggest ( with as many examples as possible) what is the best way to store this type of data?
(我开放的想法,这个信息不是如果可以提供好的原因,则存储在数据库中)
(i am open to the idea that this info not be stored in the db if a good reason can be provided)
推荐答案
正确的是将密码存储在纯文本字段是一个可怕的想法。 但是,对于大多数情况下,你会遇到(我真的不能想到任何反例),存储表示, 的数据库中的密码是正确的事情要做。通过表示我的意思是,你想使用盐(这应该是不同的每个用户)和一个安全的单向算法和存储密码,扔掉原始密码哈希。然后,当你想验证一个密码,你哈希值(使用相同的哈希算法和盐),并将其与数据库中的哈希值进行比较。
You are correct that storing the password in a plain-text field is a horrible idea. However, as far as location goes, for most of the cases you're going to encounter (and I honestly can't think of any counter-examples) storing the representation of a password in the database is the proper thing to do. By representation I mean that you want to hash the password using a salt (which should be different for every user) and a secure 1-way algorithm and store that, throwing away the original password. Then, when you want to verify a password, you hash the value (using the same hashing algorithm and salt) and compare it to the hashed value in the database.
,而这是一个好东西,你在想这个问题,这是一个很好的问题,这实际上是这些问题的重复(至少):
So, while it is a good thing you are thinking about this and it is a good question, this is actually a duplicate of these questions (at least):
- How to best store user information and user login and password
- Best practices for storing database passwords
- Salting Your Password: Best Practices?
- Is it ever ok to store password in plain text in a php variable or php constant?
为了更清楚地说明salting位,简单的哈希密码和存储的危险是,如果侵入者得到你的数据库,他们仍然可以使用所谓的彩虹表,以便能够解密密码(在至少那些出现在彩虹表中)。为了解决这个问题,开发人员会向密码添加盐,在正确完成后,彩虹攻击根本不可行。请注意,一个常见的误解是简单地向所有密码添加相同的唯一长字符串;虽然这不是可怕的,但最好为每个密码添加独特的盐。 了解详情。
To clarify a bit further on the salting bit, the danger with simply hashing a password and storing that is that if a trespasser gets a hold of your database, they can still use what are known as rainbow tables to be able to "decrypt" the password (at least those that show up in the rainbow table). To get around this, developers add a salt to passwords which, when properly done, makes rainbow attacks simply infeasible to do. Do note that a common misconception is to simply add the same unique and long string to all passwords; while this is not horrible, it is best to add unique salts to every password. Read this for more.
这篇关于在数据库中存储密码的最佳方式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
