在需要最终以纯文本形式存储的 SQL 中存储密码的最佳方法是什么? [英] What would be the best way of storing a password in SQL that needs to eventually be in plain text?

问题描述

对于用户密码，我们应该始终对它们进行哈希和加盐，然后将哈希和加盐存储在数据库中.但是，存储最终需要以纯文本形式存储的密码的最佳做法是什么?我不喜欢在 SQL 中存储纯文本密码，但我必须将密码发送到库以便它可以访问某些内容.

For user passwords, we should always hash and salt them and then store the hash and salt in the DB. But what's the best practice for storing passwords that need to be eventually be in plain text? I don't feel comfortable storing a plain text password in SQL, but I have to send the password to a library so it can access something.

我的想法是我可以在数据库服务器上存储一个加密的密码，然后在 Web 服务器上解密.如果两者都受到损害，我就完蛋了.但如果只有一个被泄露，加密给我足够的时间来更改密码.

My thinking was that I could store an encrypted password on the database server and then decrypt on the web server. If both are compromised, I'm screwed. But if just one if compromised, the encryption gives me enough time to change the password.

大家怎么看?

推荐答案

如果您确实需要获取纯文本形式的密码(这确实不是一个好主意)，您可以使用对称加密来保护用户密码.但是您必须弄清楚如何保证私钥的安全.我的意思是您的代码中需要一个私钥才能解密数据.此外，您的所有开发人员都可以访问私钥，这意味着他们也可以访问纯文本.

If you really need to get plain-text form of password ( which is really not good idea ) you can use symmetric encryption for security user passwords. But you must figure out how to keep private key in secure. I mean you need a private key in your code in order to decrypt data. Also all of your developers can access private key which means they can access plain-text too.

另外我建议你阅读这篇文章.它正在比较散列和加密用户密码.http://www.darkreading.com/safely-storing-user-passwords-hashing-vs-encrypting/a/d-id/1269374

Also I suggest you to read this article. It's comparing hashing and encrypting user password. http://www.darkreading.com/safely-storing-user-passwords-hashing-vs-encrypting/a/d-id/1269374

这篇关于在需要最终以纯文本形式存储的 SQL 中存储密码的最佳方法是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！