当API调用需要以纯文本发送密码时,将密码存储在数据库中的最佳方法是什么? [英] What is the best way to store password in database when API call requires sending of password in plain text?
问题描述
我很确定这不可能是唯一的服务需要以纯文本形式发送密码。我有兴趣知道开发人员如何处理这些服务。我是web开发的新手,所以任何帮助或指针都是值得赞赏的。
不要用纯文本保存密码。您可以对密码进行加密和解密,但问题是您可以通过任何获得访问服务器的人员访问加密和解密所用的密钥,因此不安全。
另一种方法是要求他们输入密码,并将其保存在加密的Cookie或会话变量中,或者在注销您的应用后将会过期的其他内容。这样做的缺点是每当用户使用你的应用程序时都必须输入密码。
I'm writing a web app in Django that is interfacing with the Read it Later List API (http://readitlaterlist.com/api/docs/). However, all of the API calls require sending the username and password with each request. In order to do this, it seems that I need to store the user's password in plain text in my database. Am I missing something or is that the only approach possible in this case? Is there some way to store an encrypted password in my database, but yet be able to send a decrypted version of it when making the API call? If not, then are there any best practices that I should be following to safe-guard the user's password?
I'm pretty sure that this can't be the only service requiring sending password in plain-text. I'm interested in knowing how developers deal with these sort of services in general. I'm new to web development, so any help or pointers is appreciated.
Never save password in plain text. You can encrypt and decrypt the password but the problem is that the key you use to do the encryption and decryption will generally be accessible to anyone who has gained access to your server so it's not secure.
An alternative is to ask them to enter their password and save it in an encrypted cookie, or session variable or something else that will expire when they have logged out of your app. This has the drawback of them having to enter their password every time they user your app.
这篇关于当API调用需要以纯文本发送密码时,将密码存储在数据库中的最佳方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
