将密码存储在数据库中的首选可恢复方法 [英] Preferred recoverable method to store passwords in database
问题描述
我要在服务器上的数据库中存储一些密码。
I want to store some passwords on my database at server.
密码应该可以恢复,因为我想要使用它们用于第三方API密码。 (所以我不能使用像md5这样的单向方法...)
The passwords should be recoverable, since I want to use them for a third-party api which needs the password. (So I can't use one-way methods like md5...)
在数据库中保存密码的最好方法是什么?是否有比存储纯文本更好的方法?
What is the best method to save passwords in database? Isn't there any better way than storing plain text?
推荐答案
AES 是加密声音,可能是为新应用程序选择的最常见的加密(相对于散列)机制。
AES is cryptographically sound and probably the most common encryption (as opposed to hashing) mechanism selected for new applications.
请小心为您加密的每个密码生成随机初始化向量(IV),并将密钥和IV与加密的密码字节分开存储。
Take care to generate a random initialization vector (IV) for each password that you encrypt, and store the Key and the IV separately from the encrypted password bytes.
要了解AES和Rijndael之间的差异,请查看
To understand differences between AES and Rijndael check out
http://blogs.msdn.com/b/shawnfa/archive/2006 /10/09/the-differences-between-rijndael-and-aes.aspx
Rijndael之间有一些差异和AES的官方FIPS-197规范
there are some differences between Rijndael and the official FIPS-197 specification for AES
您应该为每个用户使用唯一的IV。然而,存储每用户密钥使得复杂的密钥管理场景成为可能。我会建议一个关键的应用程序和每个用户的IV。
You should use a unique IV per user. However, storing the key-per-user makes for a complex key management scenario. I would suggest one key for the application and an IV per user.
IV可以保存在密文旁边。密钥应该存储在数据库之外。
The IV can be saved alongside the ciphertext. The key should be stored outside of the database.
您可以将加密的密钥存储在web.config中。请参见此。
You could store the key, encrypted, in web.config. See this.
这篇关于将密码存储在数据库中的首选可恢复方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!