是否有必要在通过HTTPS发送密码之前对其进行哈希处理? [英] Is it necessary to hash passwords before sending them over HTTPS?
问题描述
我是网络开发(今年1月开始)和网络安全(不到一周前开始!)的新手,所以如果我的问题严重缺乏教育,误导或简单愚蠢,请原谅。
I'm new to both Web development (started this January) and Web security (started less than a week ago!), so please excuse me if my question is grossly uneducated, misinformed or plain simple stupid.
我为主要产品工作的公司是一个很好的老式客户/服务器系统。为了使它对我们的客户更具吸引力,我被赋予了开发一系列以任务为中心的简单Web应用程序的任务,这些应用程序补充了系统的整个以业务流程为中心的设计。例如,如果用户在组织中的角色包括批准采购订单和付款订单,他们可能会发现使用WebApprovals应用程序比打开采购和库存模块更容易,并使用它们分别批准采购订单和付款订单。
The company I work for's main product is a good old-fashioned client/server system. To make it more appealing to our customers, I've been given the task of developing a bunch of simple-task-centric Web applications that complement the system's whole-business-process-centric design. For example, if an user's role in the organization consists in approving purchase orders and payment orders, they might find it easier to use the WebApprovals application than opening both the Purchases and Treasury modules, and using them to approve purchase orders and payment orders, respectively.
毋庸置疑,我的所有Web应用程序都有一个登录页面。当然,我需要它们是安全的。出于这个原因,按照设计,这些Web应用程序只能通过HTTPS使用,而不能通过纯HTTP使用。
Needless to say, all my Web applications have a login page. And, of course, I need them to be secure. For that reason, by design, these Web applications can only be used over HTTPS, never over plain HTTP.
现在,我想知道发送它的安全性如何HTTPS上的密码,没有任何进一步的安全措施它足够安全吗?具有安全领域经验的人必须说什么?
Now, I would like to know how secure it is to send passwords over HTTPS without any further security measures. Is it secure enough? What do people with experience in the security field have to say?
推荐答案
HTTPS将处理传输安全性,因此没有理由在客户端散列它们。如果这样做,从服务器的角度来看,散列密码基本上就是真正的密码。如果有人窃取了您的数据库,则每行将具有服务器期望通过网络接收的值。攻击者可以简单地创建一个直接发送哈希的新客户端,而不必担心任何真正的哈希值。
HTTPS will handle transport security, so there is no reason to hash them on the client side. If you do so, the hashed password essentially becomes the real one, from the server's point of view. If someone steals your database, each row would then have the value the server expects to receive over the network. The attacker can simply create a new client that sends the hash directly without bothering with any real hashing.
但是,通过网络发送的密码永远不应该存储在数据库中。相反,应该有每用户随机盐。这应该用于散列密码服务器端。
However, the password sent over the network should never be stored in the database. Rather, there should be a per-user random salt. This should be used to hash the password server-side.
参见 Salting Your Password:Best Practices?。
这篇关于是否有必要在通过HTTPS发送密码之前对其进行哈希处理?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
