在数据库中存储密码的最佳方法 [英] Best way to store password in database
问题描述
我正在开发一个必须进行身份验证(用户名和密码)的项目
I am working on a project that has to have authentication (username and password)
它还连接到一个数据库,所以我想我会在那里存储用户名和密码.但是,将密码仅作为数据库表中的文本字段似乎不是一个好主意.
It also connects to a database, so I figured I would store the username and password there. However, it seems like not such a good idea to have passwords as just a text field in a table sitting on the database.
我正在使用 C# 并连接到 2008 快速服务器.任何人都可以建议(尽可能多的例子)存储此类数据的最佳方式是什么?
I'm using C# and connecting to a 2008 express server. Can anyone suggest (with as many examples as possible) what the best way to store this type of data would be?
P.S 如果可以提供充分的理由,我愿意不将这些信息存储在数据库中
P.S I am open to the idea that this info not be stored in the database if a good reason can be provided
推荐答案
您是对的,将密码存储在纯文本字段中是一个可怕的想法.但是,就位置而言,对于您将遇到的大多数情况(老实说,我想不出任何反例)存储表示在数据库中设置密码是正确的做法.通过表示,我的意思是你想使用盐(每个用户应该不同)和安全的单向算法来散列密码并存储那个,扔掉原始密码.然后,当您想验证密码时,您可以对值进行散列(使用相同的散列算法和盐)并将其与数据库中的散列值进行比较.
You are correct that storing the password in a plain-text field is a horrible idea. However, as far as location goes, for most of the cases you're going to encounter (and I honestly can't think of any counter-examples) storing the representation of a password in the database is the proper thing to do. By representation I mean that you want to hash the password using a salt (which should be different for every user) and a secure 1-way algorithm and store that, throwing away the original password. Then, when you want to verify a password, you hash the value (using the same hashing algorithm and salt) and compare it to the hashed value in the database.
因此,虽然您正在考虑这个问题并且这是一个好问题是一件好事,但这实际上是这些问题的重复(至少):
So, while it is a good thing you are thinking about this and it is a good question, this is actually a duplicate of these questions (at least):
为了进一步澄清一点,简单地散列密码并存储的危险在于,如果侵入者控制了您的数据库,他们仍然可以使用所谓的 彩虹表 能够解密"密码(至少那些出现在彩虹表中的密码).为了解决这个问题,开发人员在密码中添加了一个 salt彩虹攻击根本不可行.请注意,一个常见的误解是简单地向所有密码添加相同的唯一长字符串;虽然这并不可怕,但最好为每个密码添加唯一的盐.阅读本文了解更多信息.
To clarify a bit further on the salting bit, the danger with simply hashing a password and storing that is that if a trespasser gets a hold of your database, they can still use what are known as rainbow tables to be able to "decrypt" the password (at least those that show up in the rainbow table). To get around this, developers add a salt to passwords which, when properly done, makes rainbow attacks simply infeasible to do. Do note that a common misconception is to simply add the same unique and long string to all passwords; while this is not horrible, it is best to add unique salts to every password. Read this for more.
这篇关于在数据库中存储密码的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
