将密码存储在数据库中的最佳方法 [英] Best way to store password in database
问题描述
我正在做一个需要身份验证(用户名和密码)的项目
I am working on a project that has to have authentication (username and password)
它还连接到数据库,所以我想我会在那里存储用户名和密码.但是,将密码作为位于数据库中的表中的文本字段似乎不是一个好主意.
It also connects to a database, so I figured I would store the username and password there. However, it seems like not such a good idea to have passwords as just a text field in a table sitting on the database.
我正在使用 C# 并连接到 2008 express 服务器.谁能建议(尽可能多的示例)存储此类数据的最佳方式是什么?
I'm using C# and connecting to a 2008 express server. Can anyone suggest (with as many examples as possible) what the best way to store this type of data would be?
P.S 如果可以提供充分的理由,我愿意不将这些信息存储在数据库中
P.S I am open to the idea that this info not be stored in the database if a good reason can be provided
推荐答案
您是正确的,将密码存储在纯文本字段中是一个可怕的想法.但是,就位置而言,对于您将遇到的大多数情况(老实说,我想不出任何反例)存储表示数据库中的密码是正确的做法.通过表示,我的意思是您想使用盐(每个用户应该不同)和安全的单向算法对密码进行哈希处理并存储 that,丢弃原始密码.然后,当您要验证密码时,您对值进行哈希处理(使用相同的哈希算法和盐)并将其与数据库中的哈希值进行比较.
You are correct that storing the password in a plain-text field is a horrible idea. However, as far as location goes, for most of the cases you're going to encounter (and I honestly can't think of any counter-examples) storing the representation of a password in the database is the proper thing to do. By representation I mean that you want to hash the password using a salt (which should be different for every user) and a secure 1-way algorithm and store that, throwing away the original password. Then, when you want to verify a password, you hash the value (using the same hashing algorithm and salt) and compare it to the hashed value in the database.
因此,尽管您正在考虑这是一件好事并且这是一个好问题,但实际上这是这些问题的重复(至少):
So, while it is a good thing you are thinking about this and it is a good question, this is actually a duplicate of these questions (at least):
为了进一步澄清加盐位,简单地散列密码并存储的危险在于,如果侵入者获得了您的数据库,他们仍然可以使用所谓的 彩虹表 能够解密"密码(至少那些出现在彩虹表中的密码).为了解决这个问题,开发人员在密码中添加 salt彩虹攻击根本行不通.请注意,一个常见的误解是简单地将相同的唯一且长字符串添加到所有密码中;虽然这并不可怕,但最好为每个密码添加唯一的盐.阅读本文了解更多信息.
To clarify a bit further on the salting bit, the danger with simply hashing a password and storing that is that if a trespasser gets a hold of your database, they can still use what are known as rainbow tables to be able to "decrypt" the password (at least those that show up in the rainbow table). To get around this, developers add a salt to passwords which, when properly done, makes rainbow attacks simply infeasible to do. Do note that a common misconception is to simply add the same unique and long string to all passwords; while this is not horrible, it is best to add unique salts to every password. Read this for more.
这篇关于将密码存储在数据库中的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
