在会话中存储登录名和密码哈希是否安全？ [英] Is storing login and password hash in session secure?

问题描述

为Intranet应用程序存储用户名和SHA1登录名的最佳方法是什么？

What is the best way to store username and SHA1 login for an intranet application?

会话是否是相对安全的方式来保存多域信息，用户名和密码哈希等信息？我将其保留为 Session [ data] = customObject（）

Is session relatively secure way to hold information like multidomain info, username and password hash? I keep them as Session["data"] = customObject()

我是否需要执行任何其他步骤使这些数据安全？是否存在潜在的安全问题或漏洞可以妥协？某种会话注入？我应该使用一些私钥过程来锁定/打开会话数据以进行读取吗？

Do I need to do any additional step to make those data secure? Is there a potential security problem or hole which can be compromised? Some kind of session injection? Should I use some privatekey process to lock/open session data for reading?

推荐答案

无论采用哪种方式存储密码哈希都是安全的。散列密码的想法是，这样就不能对密码进行反向工程。这就是为什么推荐使用散列密码并通常将其存储在数据库（即ASP.net成员资格提供程序）中的原因。您可以使用加密，但是恕我直言，它不如哈希安全。

Storing a password hash is secure whichever way you go. The idea of hashing the password is so that it can't be reverse engineered into the password. That is why hashed passwords are recommended practice and commonly stored in databases (ie ASP.net membership provider). Youc an use encryption, but IMHO that is less secure than hashing.

在会话状态下存储哈希密码，无论是inProc，sqlserver还是会话服务器都可以。存储原始密码应该是一项悬而未决的事情。

Storing a hash password in session state, either inProc, sqlserver or session server is fine. Storing the raw password should be a hanging offence.

由于SHA1被确定为不安全的，因此您将避免通过表单或URL信息将散列的密码暴露给全世界。我会建议使用SHA256，但无论如何不要发布哈希。

You would avoid exposing the hashed password to the world either via form or url information as SHA1 has been determined to be insecure. I would recommend SHA256 but in any case don't publish the hash.

我想知道为什么您要保留所有这些信息。我想不出它有什么价值。密码散列后，就不能用来在其他站点上对用户进行重新认证。

I would be wondering why you want to keep this information at all. I can't think of any value it has. Once the password has been hashed, it can't be used to re-authenticate the user onto a different site.

这篇关于在会话中存储登录名和密码哈希是否安全？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！