如何将密码安全地存储在数据库中? [英] How to store passwords in database securely?

问题描述

我已经读到一种在数据库中存储密码的方法是通过以下方法.要具有包含用户名，哈希和盐列的数据库表.盐将永远不会显示.

I have read that one way to store passowrds in a database is by the following way. To have a database table with columns username, hash and salt. The salt would never be shown.

我用密码+ salt生成哈希.密码由用户发送，并且不存储在数据库中.如果生成的哈希与数据库中存储的哈希相同，则密码正确.

I generate the hash with password + salt. The password is send by the user and is not stored in the database. If the generated hash is the same as that stored in the database, the password is correct.

但是我有我的疑问.如果我发送密码，则在通过电线传输密码时它可能会被窃听，因此我认为也需要对通信进行加密.因此，使用哈希和盐仅仅是为了保护数据免受管理员侵害?我的意思是，如果我将密码存储在数据库中，则管理员可以轻松访问所有信息.如果我存储哈希，管理员将无法访问用户的信息，因为管理员没有信息的一半，只有盐而不是密码.但是，尽管用户需要发送密码，但有人可能会嗅到它，因此密码就暴露了.

But I have my doubts. If I send the password, it could be sniffed while it is transmitted by the wire, so I think that it is neccesary to encrypt the communication too. So using a hash and salt is only to protect the data from the administrator? I mean that if I store the password in database, an administrator could easily access all information. If I store the hash, the administrators can't access to the information of users becasue the administrator don't have the half of the information, only the salt and not the password. However, while the user need to send the password, this could be sniff by someone, so the password is exposed.

保护用户信息的最佳方法是什么?

How is the best way to protect the information of the user?

谢谢.

推荐答案

散列密码还可以保护您的数据免受外界的攻击.想象一下，如果有人使用SQL注入访问您的数据，那么他只会得到一个哈希&.不是通行证.您可以使用HTTPS通过网络进行安全的通信，使用现有的哈希密码表可以建立良好的安全模型. 保护加盐的密码哈希

Hashed passwords also protect your data from outsiders. Imagine, if someone accessed your data using a SQL injection he would only get a hash & not the pass. You can use HTTPS for secure communication over your network & use your existing table of hashed passwords for a good security model. Secure salted password hashing

这篇关于如何将密码安全地存储在数据库中?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！