正确传输和保护用户的Web应用密码 [英] Properly transmitting and securing users' passwords for a web app
问题描述
我正在为我的Masters项目开发一个Web应用程序。它是教授管理学生项目的系统,它使用Java作为服务器端代码,使用HSQLDB作为数据库,使用JSP作为表示层,并在tomcat上运行。将存储的数据不包括任何敏感信息(学生ID,财务信息,没有类似的信息),但是用户名和密码是必需的,所以我想在学生使用密码的情况下自己保护密码我的应用程序,他们用于其他更重要的应用程序(即使我告诉人们不要这样做,这无疑会发生。)
I'm working on a web app for my Masters project. It's a system for professors to manage student projects, and it uses Java for the server-side code, HSQLDB for the database, and JSPs for the presentation layer, and it runs on tomcat. The data that will be stored doesn't include any sensitive information (student ID, financial info, nothing like that) but usernames and passwords are a requirement, so I want to protect the passwords themselves in the event that a student uses a password for my app that they use for some other, more important app (this will undoubtedly happen even if I tell people not to do it).
我从未调查过这个之前的事情,我很丢失。我找到了一篇很好的文章,解释了如何使用Java来创建一个密码哈希,我在 tomcat文档中找到了解释信息如何设置领域中使用的哈希方案以及如何使用 SSL与tomcat ,以及 JavaScript库从密码创建哈希,但我不确定如何将所有部分组合在一起,以及我需要什么部分。
I've never looked into this kind of thing before and I'm pretty lost. I did find a good article explaining how to use Java to create a hash of a password, and I found info in the tomcat documentation explaining how to set the hash scheme being used in realms and how to do SSL with tomcat, as well as a JavaScript library to create hashes from passwords, but I'm not sure how to put all the pieces together, and what pieces I need exactly.
如果我使用JavaScript库来散列密码并使用SSL进行登录步骤(之后我就不必考虑,因为其他数据不需要保护),然后只在数据库中存储密码的哈希版本,这是否足够?或者我还需要做更多的事情吗?我遇到了问题,其中讨论了答案PBKDF2和其他一些东西,但它让我更加困惑......如果我应该使用这些答案中提到的方案之一,我该怎么做呢?我没有在tomcat或其他文档中看到对它们的引用所以我不知道我是如何使用它们的。
If I use the JavaScript library to hash the password and use SSL for the login step (it's unnecessary after that I think since the other data doesn't need protecting), then store only the hashed versions of passwords in the database, is that sufficient? Or do I need to do something more? I ran across a question where answers discussed PBKDF2 and some other things, but it just confused me more... If I should use one of the schemes mentioned in those answers, how do I go about doing it? I haven't seen references to them in tomcat or other documentation so I don't know how I'd use them...
如果有人能解决我的困惑并告诉我安全传输和存储密码的正确方法是什么,我真的很感激。
If anyone can clear up my confusion and tell me what the correct way to securely transmit and store passwords is, I would really appreciate it.
推荐答案
SSL负责保护整个传输层。您无需担心通过HTTPS发送的数据。
SSL takes care of securing the entire transport layer. You don't need to worry about data that is sent over HTTPS.
切勿在数据库中存储真实密码。仅存储使用适当安全(即非MD5)散列函数制作的盐渍散列。为每个哈希使用不同的盐。
Never store real passwords in your database. Only store salted hashes made with appropriately secure (i.e. not MD5) hash functions. Use a different salt for each hash.
如果您遵循这些原则,无论您使用哪种组件,您都将拥有合理的用户名/密码存储机制。
If you follow these principals, no matter what components you use, you will have a reasonably username/password storage mechanism.
这篇关于正确传输和保护用户的Web应用密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
