实现用户登录系统的正确方法 [英] The proper way of implementing user login system

问题描述

我想建立一个用于学习的用户登录系统.我有几个问题.

I want to make a user login system for the purpose of learning. I have several questions.

我做了一些研究，发现实现用户登录系统的正确方法是在数据库中存储用户名/ID和密码的加密/散列版本.当用户登录时，密码将在客户端(MD5，SHA-1等)进行加密，然后发送到服务器，并与数据库中的密码进行比较.如果它们匹配，则用户成功登录.

I did some research and found that the proper way of implementing a user login system is to store the user name/id and the encrypted/hashed version of the password in the database. When a user logs in, the password is encrypted client side (MD5, SHA-1 etc.) and sent to the server where it is compared with the one in database. If they match, the user log in successfully.

此实现可防止DBA或程序员在数据库中看到密码的明文.它还可以防止黑客拦截传输中的真实密码.

This implementation prevents DBAs or programmers seeing the cleartext of the password in the database. It can also prevent hackers intercepting the real password in transit.

在这里我很困惑:

1. 如果黑客知道密码的哈希/加密版本(通过黑客攻击数据库)或DBA，程序员只需读取数据库中的文本即可获得密码的哈希版本.然后，他们可以轻松地创建一个程序，将密码的此哈希版本发送到服务器，从而使其能够成功登录.如果可以这样做，则对密码进行加密似乎不是很有用.我想我对这里有些误解.

1. What if the hackers know the hash/encrypted version of password (by hacking the database) or DBAs, programmers get the hashed version of the password by just simply reading the text in the database. They could then easily make a program that sends this hashed version of the password to the server allowing them to successfully log in. If they can do that, encrypting the password doesn't seem very useful. I think I misunderstanding something here.

这是(我上面描述的)最流行的实现用户登录功能的方法吗?它是否遵循当前的最佳做法?我是否必须手动执行所有操作，或者某些数据库具有内置的功能来执行相同的操作?对于网站或网络应用程序，是否有最常用的方法/方法?如果是这样，请向我提供详细信息.

Is this (the way I described above) the most popular way to implement user login functionality? Does it follow current best practices? Do I have to do everything manually or does some database have the built-in ability to do the same thing? Is there a most common way/method of doing this for a website or a web app? If so, please provide me with details.

我的前公司使用bedDB来存储包括密码在内的用户登录信息.他们在加密方面没有做太多事情.他们说，ouchDB将自动对密码进行加密并将其存储在文档中.我不确定这是否安全.如果是这样，那么这对于程序员来说非常方便，因为它可以节省大量工作.

My former company used couchDB to store user login info including passwords. They did not do too much with the encryption side of things. They said couchDB will automatically encrypt the password and store it in the documents. I am not sure if this is a safe way. If so, then it is pretty convenient for programmers because it saves lots of work.

这样(第3点)是否足够安全以正常使用?其他数据库系统(例如mySQL)是否具有可以做相同事情的这种能力?如果是这样，是否意味着使用mySQL内置方法足够安全?

Is this way (point 3) secure enough for normal use? Do other database system such as mySQL have this kind of ability that can do the same thing? If so, does it mean that using mySQL built-in method is secure enough?

我不是在寻找实现用户登录功能的非常安全的方法.我想寻找一种对于大多数Web应用程序来说足够流行，易于实现，适当且安全的方法.请给我一些建议.提供的详细信息将不胜感激.

I am not looking for a very super secure way of implementing user login functionality. I am rather looking for a way that is popular, easy-to-implement, proper, secure enough for most web applications. Please give me some advice. Details provided will be really appreciated.

推荐答案

一些说明:

1. 请勿使用MD5.它被认为是坏的.使用SHA，但我建议使用比SHA1更好的东西. - https://en.wikipedia.org/wiki/MD5
2. 您没有提及对密码加盐的任何内容.这对于防止Rainbow表是必不可少的. - https://en.wikipedia.org/wiki/Rainbow_tables
3. 添加密码/哈希密码的想法并不是真正保护您自己的应用程序.这是因为大多数用户在多个站点上都使用了一些密码.散列/加盐防止任何访问您的数据库的人了解这些密码是什么，并使用它们登录其银行应用程序或类似内容.一旦有人获得对数据库的直接访问权，您的应用程序的安全性便已完全受到威胁. - http://nakedsecurity.sophos.com/2013 /04/23/users-same-password-most-websites/
4. 请勿使用数据库的内置安全性来处理您的登录.它很容易破解，为他们提供了比应有的方式更多的应用程序访问权限.使用表格.
5. 您没有提及任何有关SSL的信息.如果密码以纯文本形式通过网络发送，即使是设计良好的身份验证系统也无济于事.还有其他方法，例如质询/响应，但是不幸的是，当用户注册或更改密码时，仍然必须以纯文本形式将密码发送到服务器. SSL是防止这种情况的最佳方法.

1. Don't use MD5. It's considered broken. Use SHA but I'd recommend something a little better than SHA1. - https://en.wikipedia.org/wiki/MD5
2. You don't mention anything about salting the password. This is essential to protect against Rainbow tables. - https://en.wikipedia.org/wiki/Rainbow_tables
3. The idea of salting/hashing passwords isn't really to protect your own application. It's because most users have a few passwords that they use for a multitude of sites. Hashing/salting prevents anyone who gains access to your database from learning what these passwords are and using them to log into their banking application or something similar. Once someone gains direct access to the database your application's security has already been fully compromised. - http://nakedsecurity.sophos.com/2013/04/23/users-same-password-most-websites/
4. Don't use the database's built in security to handle your logins. It's hacky and gives them way more application access than they should have. Use a table.
5. You don't mention anything about SSL. Even a well designed authentication system is useless if the passwords are sent across the wire in plain text. There are other approaches like Challenge/Response but unfortunately the password still has to be sent in plain text to the server when the user registers or changes their password. SSL is the best way to prevent this.

这篇关于实现用户登录系统的正确方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！