在数据库中存储密码的首选可采取的方法 [英] Preferred recoverable method to store passwords in database
问题描述
我想在服务器上的数据库中存储一些密码。
密码应该是可以恢复的,因为我想要使用它们的第三方api需要密码。 (所以我不能使用像md5这样的单向方法...)
在数据库中保存密码的最佳方法是什么?没有比存储纯文本更好的方法吗?
AES 是加密的声音,可能是为新应用程序选择的最常见的加密(相对于散列)机制
小心为您加密的每个密码生成随机初始化向量(IV),并将密钥和IV与加密的密码字节分开存储。 p>
要了解AES和Rijndael之间的差异,请查看
http://blogs.msdn.com/b/shawnfa/archive /2006/10/09/the-differences-between-rijndael-and-aes.aspx
有一些差异Rijndael和官方FIPS-197规范之间对于AES
您应该对每个用户使用唯一的IV。然而,存储密钥每用户使得复杂的密钥管理方案成为可能。我建议一个应用程序的密钥和每个用户一个。
IV可以保存在密文旁边。密钥应存储在数据库外部。
您可以将密钥存储在web.config中。请参阅此。
I want to store some passwords on my database at server.
The passwords should be recoverable, since I want to use them for a third-party api which needs the password. (So I can't use one-way methods like md5...)
What is the best method to save passwords in database? Isn't there any better way than storing plain text?
AES is cryptographically sound and probably the most common encryption (as opposed to hashing) mechanism selected for new applications.
Take care to generate a random initialization vector (IV) for each password that you encrypt, and store the Key and the IV separately from the encrypted password bytes.
To understand differences between AES and Rijndael check out
http://blogs.msdn.com/b/shawnfa/archive/2006/10/09/the-differences-between-rijndael-and-aes.aspx
there are some differences between Rijndael and the official FIPS-197 specification for AES
You should use a unique IV per user. However, storing the key-per-user makes for a complex key management scenario. I would suggest one key for the application and an IV per user.
The IV can be saved alongside the ciphertext. The key should be stored outside of the database.
You could store the key, encrypted, in web.config. See this.
这篇关于在数据库中存储密码的首选可采取的方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
