为什么不存储原始密码? [英] Why aren't original passwords stored?
问题描述
我是Web开发的新手.我可以存储用户的原始密码吗?我知道良好的做法是使用盐来存储哈希密码,但是为什么我们不存储原始密码呢?
I am new to web development. Am I allowed to store users' original passwords? I know good practice is to store the hashed password using a salt, but why don't we store the original password?
是因为数据库很容易被黑客入侵,所以哈希保护密码吗?还有其他原因吗?如果没有,我想存储原始密码(如果合法的话).
Is it because the database is easily hacked, so hashing protects passwords? Are there any other reasons? If not, I would like to store the original password if it is legal to do so.
推荐答案
合法性取决于您所居住的国家/地区.但是也有最佳做法.最佳实践是对用户密码进行加密.这样,如果有人闯入您的数据库,他们将无法获得一长串的密码,并无法在ebay,yahoo mail和gmail中尝试每个密码.用户通常在许多网站上使用相同的用户名和密码对.
The legality depends on the country you live in. But there are best practices, too. And a best practice is to encrypt user's passwords. In this way, if someone breaks into your database, they will not be able to obtain the long list of passwords, and try each one of them in ebay, yahoo mail, and gmail. Users generally use the very same pair of username and passwords for many sites.
正如乔恩(Jon)在评论中指出的那样,散列和加密之间当然会有区别.散列是一种单向数据破坏性过程,该过程将任意长度的字符串作为输入,并输出固定长度的字符串.定义此字符串的方式是,更改原始输入中的任何一位将导致哈希值不同.因此,如果您有哈希,则无法重建原始文本(即,无法恢复密码).
As Jon points in the comment, of course there is difference between hashing and encrypting. Hashing is a one-way, data-destructive process, which takes an arbitrary-length string as input, and outputs a fixed-length string. This string is defined in such a way, that changing any single bit in the original input, will cause the hash to be different. If you have a hash, therefore, it is not possible to reconstruct the original text (i.e. it is not possible to recover the password).
另一方面,适当的加密是一种可以恢复原始密码,知道秘密密钥,密码等的技术.
On the other hand, encryption proper is a technique where you can recover the original password, knowing secret keys, passwords, etc.
通常,您希望散列密码而不是对密码进行加密:这不是必需的,并且设置起来更复杂.您也不应该找回密码:您只需重新生成密码即可.
Usually, you want to hash passwords, not encrypt them: it's not necessary, and it is more complex to setup. You are not supposed to recover password either: you will just regenerate them.
这篇关于为什么不存储原始密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
