密码处理最佳做法？ [英] Password handling best practices?

问题描述

我们有一些网络服务和网络应用程序对用户进行不同的认证，一些具有不同的密码要求，这是非常糟糕的技术原因。例如，一个系统拒绝 $ 标志，直到有人固定了一些Perl脚本中的字符串处理。另一个系统似乎解析密码中的 @ 标志。另一个系统向他们发出用户密码，开发人员自豪地告诉我，这是用户名的可逆转换。

We have a number of network services and web-apps authenticating users differently, some with different password requirements for very bad technical reasons. For example, one system refused $ signs until someone "fixed" the string handling in some Perl scripts. Another system appears to parse @ signs in passwords. Another system issues users passwords to them, and the developer was proud to show me that it was a reversible transformation of the username.

我明白密码哈希是首选的;但我不知道在向基于浏览器的软件的过渡中必须牺牲多少。为了我自己的修改，并作出改变，我们可以在我的部门和负责其他服务的人员的密码处理和管理问题上有哪些权威参考

I understand that password hashes are preferred; but I wonder how much must necessarily be sacrificed in the transition to browser based software. For my own edification, and to make a case for change, are there authoritative references on the subject of password handling and management that I can show those in my department and those responsible for other services?

推荐答案

我建议您查看 OWASP 。他们处理更广泛的Web应用程序安全性主题，当然密码保护是一个关键特性。我确定你会在那里找到更多的信息。

I would recommend looking at sites like OWASP. They deal with the broader topic of web application security, which of course password protection is a key feature. Im sure you'll find more information there.

还有一些公司，如 Foundstone ，可以教您的开发团队有关最佳实践和审核您现有的应用程序。

There are also companies like Foundstone that can teach your development team about best practices and audit your existing applications.

这篇关于密码处理最佳做法？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！