保护桌面应用程序中的用户密码(修订版 2) [英] Protecting user passwords in desktop applications (Rev 2)

问题描述

我正在制作一个 twitter 客户端，并且正在评估保护用户登录信息的各种方法.

I'm making a twitter client, and I'm evaluating the various ways of protecting the user's login information.

重要提示:我需要保护用户的数据免受其他应用程序的影响.例如，想象一下如果机器人开始从用户桌面上运行的应用程序中窃取 Twhirl 密码或 Hotmail/GMail/Yahoo/Paypal 会发生什么.

IMPORTANT: I need to protect the user's data from other other applications. For example imagine what happens if a bot starts going around stealing Twhirl passwords or Hotmail/GMail/Yahoo/Paypal from applications that run on the user's desktop.

澄清:我之前在没有重要"部分的情况下问过这个问题，但 stackoverflow 的 UI 无助于稍后在 Q/A 对话中添加细节.

Clarification: I asked this before without the 'important' portion but stackoverflow's UI doesn't help with adding details later inside the Q/A conversation.

• 哈希显然不行
• 以可逆的方式进行混淆就像试图躲在我的手指后面
• 纯文本听起来很混杂
• 要求用户每次都输入他的密码会使应用程序很烦人

有什么想法吗?

推荐答案

这是一个 catch-22.要么让用户每次都输入他的密码，要么不安全地存储它(混淆、加密等等).

This is a catch-22. Either you make the user type in his password every time, or you store it insecurely (obfuscated, encrypted, whatever).

解决此问题的方法是让更多操作系统集成内置密码管理器 - 例如 OS X 的钥匙串.这样，您只需将密码存储在钥匙串中，操作系统即可确保其安全，用户只需输入 1 个主密码.OS X 上的许多应用程序(如 Skype)都使用 Keychain 来完成您所描述的操作.

The way to fix this is for more operating systems to incorporate built-in password managers - like OS X's Keychain. That way you just store your password in the Keychain, the OS keeps it secure, and the user only has to type in 1 master password. Lots of applications (like Skype) on OS X use Keychain to do exactly what you are describing.

但由于您可能使用的是 Windows，我想说只是进行一些混淆和加密.我认为您可能对密码窃取机器人有点偏执；如果您的应用程序没有大量用户群，那么有人会针对它并专门尝试窃取密码的可能性非常低.除此之外，他们还必须有权访问受害者的文件系统.如果是这种情况，他们很可能感染了病毒/蠕虫并且有更大的问题.

But since you are probably using Windows, I'd say just go with some obfuscation and encryption. I think you may be slightly paranoid about the password-stealing-bots; if your application doesn't have a large userbase, odds are pretty low that someone will target it and specifically try to steal the passwords. Besides that, they would also have to have access to their victim's filesystem. If that's the case, they probably have a virus/worm and have bigger problems.

这篇关于保护桌面应用程序中的用户密码(修订版 2)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！