在没有OpenID的情况下将密码存储到API的安全方法? [英] Secure Way of storing Passwords to APIs without OpenID?

问题描述

我问了一个此处类似的问题答案是提供了不错的OpenID，但不适用于需要身份验证且不使用它的服务(例如EventBrite).

I asked a similar question here a while back but all the answers were offering OpenID which is nice but it doesn't work with services that require authentication that don't use it (such as EventBrite).

说我想创建一个应用程序，该应用程序列出来自事件brite的事件及其分析(eventbrite包括在内).任何人都可以注册此服务以列出其活动.但是，由于EventBrite没有要验证的OpenID，因此我需要以某种方式使用户登录名和密码进入EventBrite.

Say I want to create an app that lists your events from event brite, and their analytics (which eventbrite includes). Any person can sign up for this service to list their events. But since EventBrite doesn't have OpenID to authenticate, I need to somehow get the user login and password to EventBrite.

一些可能的解决方案是:

Some possible solutions are:

1. 将凭据存储在YAML中像这样.容易被黑客入侵.
2. 让用户在我的网站上的表单中输入凭据，然后将凭据保存到数据库中，并使用它们登录到EventBrite.容易被黑客入侵.
3. 让用户输入凭据，然后将它们直接保存到数据库中，然后将它们直接传递给EventBrite，然后将响应头Cookies保存到数据库中，当它们过期时，请再次登录.这很容易被黑客入侵吗?

1. Store credentials in YAML like this. Easily hackable.
2. Have user enter in credentials into a form on my site, I save the credentials to my database, and use them to login to EventBrite. Easily hackable.
3. Have user enter in credentials and I pass them directly to EventBrite without saving, and I save the response header Cookies to the database, and when they expire, have them login again. Is this easily hackable?

此假设服务还希望自动检查事件(例如通过cron进行检查)，因此它不依赖于用户通过浏览器访问我的网站.因此，需要将Cookie或凭据存储在某个地方.

This hypothetical service also wants to automatically check events (say via cron), so it doesn't depend on the user going to my site via the browser. So cookies or credientials need to be stored somewhere.

问题是，在问了这个问题之后，关于机密性和安全性的类似问题，听起来您应该从不构建符合我所描述的应用程序.必须有某种方式可以构建类似这样的东西.

The thing is, after asking this similar question about confidentiality and security it sounds like you should never build an application that does what I'm describing. There's got to be some way building something like this is okay.

那是什么方式?我想念什么?是否可以使用#3并保存cookie(但仍然需要用户通过我发送给Eventbrite的表单来提交电子邮件/密码)?什么是可接受的解决方案?

What is that way? What am I missing? Is it okay to go with #3 and save the cookies (but still needing the user to submit their email/password via a form which I send to Eventbrite)? What is an acceptable solution to the problem?

推荐答案

没有安全的方法可以做到这一点.您可以采用解决方法，仅此而已.

There isn't a secure way to do this. You can employ workarounds, but that's about it.

1. 以明文形式将密码存储在YAML或XML中肯定没用
2. 实际上，即使加密和存储密码也是错误的.您的应用程序将需要一种解密密码的方法，因此攻击者还可以解密密码.
3. 建议的存储密码的方法是Salt + Hash，但是由于它变得不可恢复，因此在您的情况下是无用的.
4. 因为2& 3，无论您将用户凭据存储在何处，都容易受到攻击.
5. 存储cookie而不是密码是一个更好的主意.但是，这又涉及到通过您的网站的密码，这是不好的.

根据您的情况，存储cookie是一种更好的方法.甚至在您的网站上都使用HTTPS.但是它并不理想，您和您的用户应该意识到这一点.

Given your situation, storing the cookie is a better approach. Use HTTPS throughout, even on your website. Its less than ideal though, and you and your users should be aware of it.

这篇关于在没有OpenID的情况下将密码存储到API的安全方法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！