在ASP.NET网页散列用户口令VS SQL CLR [英] Hashing web user password in ASP.NET vs SQL CLR
问题描述
是否有选择在SQL CLR数据库级别哈希在ASP.NET应用程序级用户密码VS任何安全问题?我见过它做左右逢源。
Are there any security concerns in choosing to hash a user password at the application level in ASP.NET vs at the database level in SQL CLR? I'm seen it done both ways.
我的想法是,在应用层面上,口令只能从浏览器向Web服务器发送一次。在数据库中实现中,口令被发送的第二时间到数据库散列。
My thinking is that in the application level, the password is only sent once from the browser to the webserver. In a database implementation, the password is sent a second time to the database for hashing.
在后一种情况下,有人运行SQL Server探查将能够看到发送到明文的过程或功能的密码。我不是太熟悉SQL Server的审核,但如果不得不捕获类似的信息的能力,它会带来风险为好。
In the latter case, someone running SQL Server Profiler would be able to see the password sent to the procedure or function in plaintext. I'm not too familiar with SQL Server Auditing, but if it had the ability to capture similar information it would pose a risk as well.
推荐答案
您应该在你的应用程序散列密码,而不是在你的数据库。这意味着:
You should hash the password in your application, not in you database. This means that:
- 浏览器应用程序 - >密码通过SSL保护发送纯文本
- 应用数据库 - >密码散列永诺
现在你有一个人跑一个分析器没有问题的,因为密码被散列。此外,如果有人可以运行一个分析器,他大概可以做更多的伤害然后读取密码...
Now you have no problem with someone running a profiler, because the passwords are hashed. Besides that if someone can run a profiler, he can probably do much more damage then reading the passwords...
这篇关于在ASP.NET网页散列用户口令VS SQL CLR的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
