密码处理最佳实践? [英] Password handling best practices?

问题描述

我们有许多网络服务和网络应用程序以不同的方式对用户进行身份验证，其中一些出于非常糟糕的技术原因需要不同的密码.例如，一个系统拒绝 $ 符号，直到有人修复"了某些 Perl 脚本中的字符串处理.另一个系统似乎可以解析 @ 登录密码.另一个系统向他们颁发用户密码，开发人员很自豪地向我展示这是用户名的可逆转换.

We have a number of network services and web-apps authenticating users differently, some with different password requirements for very bad technical reasons. For example, one system refused $ signs until someone "fixed" the string handling in some Perl scripts. Another system appears to parse @ signs in passwords. Another system issues users passwords to them, and the developer was proud to show me that it was a reversible transformation of the username.

我了解密码哈希是首选；但我想知道在过渡到基于浏览器的软件时必须牺牲多少.为了我自己的启迪，并提出改变的理由，是否有关于密码处理和管理主题的权威参考，我可以向我所在部门的人员和负责其他服务的人员展示?

I understand that password hashes are preferred; but I wonder how much must necessarily be sacrificed in the transition to browser based software. For my own edification, and to make a case for change, are there authoritative references on the subject of password handling and management that I can show those in my department and those responsible for other services?

推荐答案

我建议你看看像 OWASP.他们处理更广泛的 Web 应用程序安全主题，其中密码保护当然是一个关键特性.我相信你会在那里找到更多信息.

I would recommend looking at sites like OWASP. They deal with the broader topic of web application security, which of course password protection is a key feature. Im sure you'll find more information there.

还有像 Foundstone 这样的公司可以向您的开发团队传授最佳实践并审核您现有的应用程序.

There are also companies like Foundstone that can teach your development team about best practices and audit your existing applications.

这篇关于密码处理最佳实践?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！