散列与加密密码 [英] Hashing vs. Encrypting Passwords

问题描述

我将 ASP.NET 成员身份用于一个主要为复杂用户提供服务的站点.我了解散列密码和加密密码之间的区别，我正在尝试在两者之间做出决定.

I'm using ASP.NET membership for a site that will serve primarily sophisticated users. I understand the difference between hashed and encrypted passwords, and I'm trying to decide between the two.

在我的最后一位客户抱怨散列密码完全是 PITA 之后，我开始偏爱加密密码.但有人认为这还不够安全.

After my last client complained bitterly about hashed passwords being a total PITA, I've started to favor encrypted passwords. But someone suggested this just isn't secure enough.

所以我的问题是:加密密码到底有什么风险?任何有能力通过从数据库中解密密码来窃取密码的人肯定有能力在密码被散列后重置密码，不是吗?我很难看到有人可能会在哪些地方使用加密密码造成问题，但无法使用散列密码.方便用户使用也很重要.

So my question is: What, exactly are the risks of encrypting passwords? Any person with the ability to steal passwords by decrypting them from the database would surely have the ability to reset them if they were hashed, no? I'm having trouble seeing where someone could cause trouble with encrypted passwords but couldn't with hashed ones. Making it convenient for users is also important.

推荐答案

可解密密码的风险在于，人们将同一个密码用于各种登录和帐户，而不仅仅是用于您正在处理的应用程序.

The risk with decryptable passwords is that people use the one password for various logins and accounts, not just for the application you are dealing with.

• 使用加密的密码，被盗/解密的密码可能是尝试使用用户的其他帐户(例如，银行密码被盗可能会导致访问他们的电子邮件).
• 使用散列密码，没有恢复.密码哈希值被盗永远不应该轻易产生可用的密码

将密码视为帐户所有者的财产.查看、解密或做其他事情不是你的.如果用户忘记了他们的密码，提供重置，而不是找回.

Treat passwords as the property of the account owner. It's not yours to view, decrypt, or do other things with. If a user forgets their password, offer reset, and not retrieval.

这篇关于散列与加密密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！