如何在django中安全地存储第三方服务的密码? [英] how to securely store a password for a 3rd party service in django?
问题描述
我的目的是将这些细节存储在最好和最安全的办法。
不幸的是,我的服务需要这些数据用于查询第三方服务的一些脱机脚本,所以我无法存储用用户密码加密的登录/密码(并将其用于密钥来解密它们。
我读了很多关于stackoverflow的文章,但大多数文章(如:当API调用需要以纯文本发送密码时,将密码存储在数据库中的最佳方法是什么?需要离线访问此数据。
我唯一的想法是将这些详细信息存储在非常安全的服务器上,只接受来自我的django服务器的请求,并与他们沟通tls。
您还有其他想法吗?
提前谢谢!
首先,其他文章是正确的:从不将密码存储在纯tex t。如果您得出结论,您需要将其存储为纯文本,则需要重新思考您的策略(Oauth?)。使用盐密码密码的全部原因是,即使出现问题,密码也是安全的(因为没有密码,只有哈希...)。我实际上是想知道您需要什么原因,您需要这些第三方用户名和密码?
如果您真的必须存储这些,请使用加密的文件或数据库字段,并使其所以每当你的脚本运行你需要手动输入解密密码。我在这里假设你不会每5分钟运行一次这个脚本,而是每周一次。此外,请确保执行此操作的服务器不会执行任何其他操作,也没有其他本地用户,否则可能会分析内存并查找解密的密码。
$ b $总而言之,我仍然会说你所尝试的是非常非常危险的,你应该非常仔细地进行...
I'm running a web service on Django. Users register to my system and provide me login details (username and password) for a 3rd party web service).
My purpose is to store this details in the best and safest way. Unfortunately my service needs this data for some offline scripts that query the 3rd party service, so I cannot store the login/password encrypted with user password (and use it to a key do decipher them.
I read lots of articles on stackoverflow, but most of them (like: What is the best way to store password in database when API call requires sending of password in plain text?) do not need an "offline" access to this data.
The only idea I have is to have these details stored on a very secured server, that only accept request from my django server, and tunnel their communication with tls.
Do you have any other ideas?
Thank you in advance!
First and foremost, the other articles are correct: never store passwords in plain text. If you come to the conclusion that you need to store them in plain text, you need to rethink your strategy (Oauth?). The whole reason for using hashed passwords with salts is that even if things go wrong, the passwords are safe (since there are no passwords, only hashes...). I'm actually wondering for what reason exactly you need these third party usernames and passwords?
If you really must store these, use an encrypted file or database field and make it so that whenever your script runs you need to manually enter the decryption password. I assume here that you don't run this script every 5 minutes, but once a week or so. Besides that, make absolutely sure that the server doing this is not doing anything else and has no other local users, otherwise it would be possible to analyze memory for instance and find the decrypted passwords.
In all, I would still say that what you're attempting is very, very dangerous, and you should proceed very carefully...
这篇关于如何在django中安全地存储第三方服务的密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
