为什么要加密用户密码? [英] Why encrypt user passwords?
问题描述
可能重复:
为什么不保存原始密码?
一个存储加密的用户密码在数据库中,如果密码是最有价值的部分数据?它似乎不会影响外部攻击;设置每个帐户每天的有限数量的登录尝试将是有效的。它似乎不会影响内部攻击;如果有人可以访问密码,他们也可以访问其余数据库中更有价值的数据。
Why would one store encrypted user passwords in a database, if the password is the least valuable part of the data? It doesn't seem like it would affect external attacks; setting a limited number of login attempts per day per account would be effective. It doesn't seem like it would affect internal attacks; if someone can access the passwords, they've also got access to the more valuable data in the rest of the database.
我缺少这里的东西吗?
Am I missing something here? Shouldn't the entire database be encrypted using user passwords as a key for the password encryption itself to be effective?
将他的帖子与他的问题合并:
Combined his post below with his question:
好吧,我以一个坏的方式问了这个问题。让我重新整理一下。
Ok, I asked the question in a bad way. Let me rephrase this.
如果有人破解这个系统,他们拥有用户密码的事实是我所关注的最少之一。我将加密密码,但是我认为,数据库中的其他数据更有价值。假设一个内部攻击者拥有该数据,他们不关心密码。
If someone breaks into this system, the fact that they have the user's passwords is one of the least of my concerns. I'll be encrypting passwords but in my humble opinion, the other data in the database is way more valuable. Assume that if an internal attacker has that data, they don't care about the passwords.
如果数据库中没有其他任何东西被加密,数据库中的一切都是什么
If nothing else in the database is encrypted and everything else in the database is what an attacker actually wants, did encrypting passwords actually solve anything?
推荐答案
因为,哈希密码会保护它免受组织内部的攻击。这样,有权访问数据库的人将不会知道用户的密码。
Because, hashing passwords will protect it from attacks from inside the organization. This way people who have access to the database won't know the user's password.
人们习惯使用相同的密码一次又一次,因此如果您的数据库意外被破坏,您的组织不是使用户的其他帐户包括在其他组织。现在应该人们做到这一点,不,但他们做,这是更容易散列的密码,而不是向客户解释为什么里面的人拥有密码,造成损害其他系统中的几个帐户
People have a habit of using the same password over and over, and so if your database is accidentally compromised, your organization isn't the one that makes the user's other accounts comprised in other organizations. Now should people do this, no, but they do, and it's a lot easier to hash the passwords, than it is to explain to your customers why someone on the inside got a hold of the passwords and caused damage to several accounts in other systems not related to yours.
如果你认为这个原因过于夸张,你可能想知道它实际上发生在Jeff Atwood,Stack Overflow的创建者。他描述了整个Stack Overflow如何在他的博客文章我刚登录身分:发生了什么。
If you think that this reason is too exaggerated, you might want to know that it actually happened to Jeff Atwood, Stack Overflow creator. He described how the whole Stack Overflow was compromised in his blog post "I Just Logged In As You: How It Happened".
编辑:
为了进一步回答您的问题,您的其他敏感数据也应该加密。很多网络工作都在内部工作,我讨厌说,但你必须偏执,谁能看到什么信息。任何您认为敏感的,您不希望人们知道,除非他们被明确授权查看该数据,应该在数据库中加密。你是对的有有时,当比较什么可以被盗窃的密码不是那么多的关注你。关键是给你。这是对其他人,应该与系统中的其他敏感数据一起保护。
To further answer you question, your other sensitive data should be encrypted as well. A lot of cyber attacts are inside jobs, and I hate to say it, but you have to be paranoid about who can see what information. Anything that you deem sensitive that you don't want people to know unless they are specifically authorized to see that data, should be encrypted in the database. You are right there are times when comparing what can be stolen the password isn't that much of a concern to you. The key is "to you". It is to other people, and should be protected along with the other sensitive data in the system.
这篇关于为什么要加密用户密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
