如何最好地存储用户信息和用户登录名和密码 [英] How to best store user information and user login and password

问题描述

我正在使用 Mysql，我认为最好将用户的个人信息及其登录名和密码分离到两个不同的表中，然后在两者之间引用它们.

I'm using Mysql and I was assuming it was better to separate out a users personal information and their login and password into two different tables and then just reference them between the two.

注意:为了澄清我的帖子，我了解保护密码的技术(散列、盐等).我只知道，如果我遵循我生活其他部分(投资、数据备份，甚至个人存储)的做法，那么在最坏的情况下(包括表或火灾)，在表之间拆分信息可以保护您的附加数据.

Note : To clarify my post, I understand the techniques of securing the password (hash, salt, etc). I just know that if I'm following practices from other parts of my life (investing, data backup, even personal storage) that in the worst case scenario (comprised table or fire) that having information split among tables provides the potential to protect your additional data.

推荐答案

不要存储密码.如果它曾经坐在磁盘上，它可能会被盗.相反，存储密码哈希.使用正确的哈希算法，例如 bcrypt(包含盐).

Don't store passwords. If it's ever sitting on a disk, it can be stolen. Instead, store password hashes. Use the right hashing algorithm, like bcrypt (which includes a salt).

编辑:OP 回应说他理解上述问题.

EDIT: The OP has responded that he understands the above issue.

无需将密码存储在与登录名不同的物理表中.如果一个数据库表被破坏，访问同一个数据库中的另一个表并不是一个大的飞跃.

There's no need to store the password in a physically different table from the login. If one database table is compromised, it's not a large leap to access another table in that same database.

如果您非常关心安全性和深度安全性，您可能会考虑将用户凭据存储在与域数据完全独立的数据存储中.通常采用的一种方法是将凭据存储在 LDAP 目录服务器中.这也可能有助于您以后进行的任何单点登录工作.

If you're sufficiently concerned about security and security-in-depth, you might consider storing the user credentials in a completely separate data store from your domain data. One approach, commonly done, is to store credentials in an LDAP directory server. This might also help with any single-sign-on work you do later.

这篇关于如何最好地存储用户信息和用户登录名和密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！