为什么纯文本密码不好,我如何让我的老板相信他的宝贵网站处于危险之中? [英] Why are plain text passwords bad, and how do I convince my boss that his treasured websites are in jeopardy?
问题描述
我一直认为将密码以纯文本形式存储在数据库中(正如这里的其他人所说)是一件非常糟糕的事情™.
I've always been of the impression that storing passwords in a database as plain text is (as someone else here put it) a Very Bad Thing™.
从历史上看,我们大部分的服务器端编码需求都外包给了一组程序员.它们以纯文本形式将密码存储在 MySQL 数据库中.
Historically, most of our server-side coding needs have been contracted out to a group of programmers. They store passwords in MySQL databases in plain text.
作为常驻代码猴子(顺便说一句,第一个在这里工作的精通服务器端的猴子,所以我可以说是继承地球)我有这个胃口,感觉这是我的屁股当这个纯文本废话被利用时就行了.
As the resident code monkey (incidentally, the first server-side-savvy monkey to work here, so I'm inheriting the earth, so to speak) I have this pit of the stomach feeling that it's my bum that will be on the line when this plain text nonsense is exploited.
我试图向我的老板解释纯文本密码是多么糟糕,但我突然明白了:我想我从来没有真正知道它们为什么如此糟糕.除了在银盘上向您的黑客提供密码列表之外,还有更多其他用途吗?这对我来说听起来已经够糟糕了,但是在我们的网站安全"且不受任何黑客攻击的地方,这种论点似乎并没有解决问题.我如何说服(或吓唬)我的老板要求在他的宝贵网站上进行哈希处理?
I tried to explain to my boss how very very bad plain text passwords are, but it dawned on me: I don't think I've ever really know why they're so bad. Is there more to it than handing your hackers a list of passwords on a silver platter? That sounds bad enough for me, but in la-la land, where our websites are "secure" and impervious to any hacker, this argument doesn't seem to cut it. How can I convince (or scare) my boss into demanding hashing on his treasured websites?
推荐答案
在军队中,它被称为纵深防御".理论是你可以强化每一层,而不是只强化一层并希望它就足够了.
In the military it's called "Defense in Depth". The theory is that you harden every layer you can rather than hardening just one layer and hoping it's enough.
我听说像您这样的数据库被称为外硬内软".专门的黑客可以通过一百万种方式访问您的数据库.社会工程学、心怀不满的员工、决定查看他的登录是否仍然有效的前员工,或者他编写的后门程序仍然存在,一个错过的操作系统补丁......列表还在继续.
I've heard databases like yours called "hard on the outside, soft and chewy on the inside". There are a million ways a dedicated hacker can get access to your database. Social engineering, a disgruntled employee, an ex-employee who decides to see if his login still works, or that backdoor he wrote is still there, one missed OS patch... the list goes on.
如果不法分子通过这些方法中的任何一种获得访问权限,他不仅可以获取数据,还可以访问系统中每个用户的每个用户名/密码组合,正如有人指出的那样,人们经常使用相同的组合对于每个网站.因此,您的黑客走出去并拥有数百人的 Paypal、电子邮件和银行账户.
If a bad actor gets access through any of these methods, instead of just getting the data, he gets access to every username/password combination of every user of your system, and as someone pointed out, people often use the same combo for every website. So your hacker goes out and owns hundreds of people's Paypal, email, and bank accounts.
我画得够恐怖了吗?
这篇关于为什么纯文本密码不好,我如何让我的老板相信他的宝贵网站处于危险之中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
