当它是一个好主意，存储密码以明文形式？ [英] When is it a good idea to store passwords in clear text?

问题描述

我的工作是在非技术用户为对象的应用程序。我期待和密码丢失和无法登录了大量的支持电话。

I am working on an application that is targetted at non technical users. I expect a large number of support calls regarding lost passwords and inability to login.

我使用ASP.NET成员资格提供程序，它提供3个选项用于存储密码 - 清除文字，散列加密

I am using ASP.NET membership provider that provides 3 options for storing passwords - Clear text, Hashed, Encrypted.

这是个好主意，存储密码中给出这个应用程序的性质明文？是否有涉及存储明文密码的任何法律问题？

Is it a good idea to store passwords in clear text given the nature of this application? Are there any legal issues involved in storing passwords in clear text?

推荐答案

从不。

有从来没有一个很好的理由来存储密码在你的数据库，永远。尤其是不的明文。你应该存储的散的密码的仅。

There is never a good reason to store passwords in your database, ever. Especially not in clear text. You should be storing the hash of the password only.

的最坏的你可以做一个用户的是广播在互联网上的康复密码明文电子邮件。它的那么容易的简单存储其中的密码的单向散列无法恢复的

The worst thing you can do to a user is broadcast their "recovered" password across the Internet in a clear-text e-mail. It is so easy to simply store a one-way hash of the password which cannot be recovered.

有关丢失的密码，您只需重置的密码，并给他们他们有登录时更改临时密码。安全可靠。

For lost passwords, you simply reset their password and give them a temporary password which they have to change when they log in. Safe and secure.

人们通常使用多个应用程序相同的密码（尤其是非技术用户）。因此，您的应用程序可能会包含对人的银行帐户的密码，电子邮件等。

People often use the same passwords for multiple applications (especially non-technical users). So your application will likely contain the passwords for people's bank accounts, email, etc.

您有一个的责任的，以确保用户的密码，不管你的应用是多么微不足道。

You have a responsibility to secure users' passwords, no matter how trivial your application is.

这篇关于当它是一个好主意，存储密码以明文形式？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！