安全地存储无法加密的凭据 [英] Securely storing credentials that can't be encrypted
问题描述
我有一个客户端正在运行来自多个帐户的信息聚合器。数据库需要以其他网站的方式存储用户名和密码,后来可以使用脚本登录这些网站来检索数据。
I have a client that's running an aggregator of information from multiple accounts. The database needs to store usernames and password to other websites in a way that can be used later by a script to log into those websites to retrieve data.
而不是存储他们作为纯文本,我想我们可以将其哈希存储。显然,如果他们有权访问代码和数据库,那么有人仍然可以访问纯文本版本,但是如果他们只有一个或另一个则可以访问。
Rather than store them as plain text, I'm thinking we can hash them for storage. Obviously, someone could still access the plain text version if they had access to both the code and the database, but not if they only had one or the other.
任何更好的想法?
推荐答案
如果您的系统有密码,您可以使用它来生成一个加密/解密密码的密钥其他网站。
If your system has a password, you can use it to generate a key to encrypt/decrypt the passwords for the other websites.
为此,您需要输入该密码才能解密您对数据库的密码。
With that, you require your user entering that password to be able to decrypt the passwords you have on your database.
更详细的流程如下:
- 登录系统时,用户输入密码123456。
- 您可以使用123456密码的SHA256,并获得一个密钥:8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
- 使用8d969 ...键使用AES解密您的数据库中的站点的密码。
您可以通过多种方式进行细化。例如:在计算SHA哈希值之前将密码解密。
You can refine this in a number of ways. For instance: salting the password before computing the SHA hash.
作为这种盐析的实际示例, Michael 建议使用 PBKDF2 与 HMAC - SHA-256 作为其两个参数伪随机函数。
As a practical sample on such salting, Michael suggest using PBKDF2 with HMAC−SHA-256 as its two parameters pseudo random function.
其他增强功能:存储加密版本的密钥以允许您的用户更改自己的密码,而无需重新加密所有密码...等...
Other enhancement: storing an encrypted version of the key to allow your user to change its own password without having to re-encrypt all his passwords... etc...
这篇关于安全地存储无法加密的凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
