Ajax登录:密码加密 [英] Ajax Login: Password Encryption
问题描述
加密的最佳方法是密码? (BTW,我不在HTTPS服务器上)
Bcrypt 可能是你的朋友。而且还有一个名为 jsBCrypt 的Javascript的实现。我强烈建议您阅读有见地的文章:以不可破解的形式存储密码。
但:小心!如果您不使用SSL或提供的服务器随机附件,则可能在中间容易受到人员伤害攻击。如果有人读取您的客户端和服务器之间的(未加密的)流量,他将获得加密密码。只要他不想知道真正的密码,他就可以使用它来对服务器进行身份验证。
I am using jQuery Ajax to login a user. Right now, I use JS to grab the values from the username and password textboxes and send them to a aspx page which checks the credentials. It then returns JSON letting the user know if they are logged in or not. Everything works well, but I noticed while using Firebug that the password was being sent in plain text.
What is the best way to encrypt the password? (BTW, I am not on a HTTPS server)
Bcrypt could be your friend. And there is also an implementation in Javascript named jsBCrypt. I highly recommend reading this insightful article: Storing passwords in uncrackable form.
But: Be careful! If you do not use SSL or a server provided nonce, you may be vulnerable to man in the middle attacks. If someone reads the (unencrypted) traffic between your client and the server, he gets the encrypted password. And it is enough for him to use it to authenticate against the server whenever he wants without knowing the real password..
这篇关于Ajax登录:密码加密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!