安全薄弱环节

发布于 2024-08-11 05:58:32 字数 310 浏览 7 评论 0原文

我已经阅读了大量有关对密码进行哈希和加盐处理、该做什么、不该做什么等的信息。我看到的问题是:如果黑客要努力窃取哈希密码列表,他不是会这样做吗?然后可以访问所有受密码保护的数据吗?这就像将密码存储到保险箱中,保险箱中。闯入并窃取密码。如果我是小偷,我就会拿走钱。

现在一家大公司可能有一个单独的服务器仅用于身份验证。然而,黑客想要的是数据,而不是密码。因此,如果两台服务器相等,我将侵入保存数据的服务器。

我在这里遗漏了一些计算机安全的基本缺陷吗?是否有非社交方法可以在没有哈希文件的情况下破解密码?

感谢您的帮助。

——戴夫

I've read a ton of information about hashing and salting passwords, do's, don't etc. The problem I see is this: If a hacker is going to go through the efforts of stealing the list of hashed passwords, doesn't he then have access to all the data that is password protected? It's like storing the combination to a safe, in the safe. Breaking in, and stealing the combination. If I were the thief, I would take the money.

Now a large company probably has a separate server just for authentication. However, the hacker wants data, not passwords. So if both servers are equal, I would break into the one that holds the data.

Is there some basic flaw of computer security that I am missing here? Are there non-social ways to crack a password without the hash file?

Thanks for your assistance.

--Dave

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

倾城泪 2024-08-18 05:58:32

您假设这样的人可以访问整个数据库。但情况并非总是如此。他们可能偶然发现了一个页面,其中的哈希值意外地暴露给用户(因此无法访问数据库的其他部分),或者他们可能使用 SQL 注入以有限的方式提取某些数据(例如,他们可能已经发现您的用户表名为 users,但没有发现您的信用卡表名为 lolcats)。

另一个安全考虑因素是您的内部 IT 人员。具有数据库合法访问权限的开发人员通常仍然不应该看到每个人的明文密码。

You're assuming such a person has access to the entire database. This isn't always the case. They may have stumbled upon a page where the hashes are accidentally exposed to users (and thus have no access to other parts of the DB), or they may have used SQL injection to pull certain data out in manner that is limited (for example, they might have figured out that your users table is called users, but not that your credit cards table is called lolcats).

Another security consideration is your internal IT folks. Developers with legitimate access to the database generally still shouldn't be seeing everyone's passwords in plaintext.

冷默言语 2024-08-18 05:58:32

原因之一是大多数用户的多个帐户使用相同的密码。未经哈希处理的密码意味着我在其他网站上的帐户可能会受到威胁 - 特别是因为电子邮件是登录的常用字段。通过对密码进行哈希处理,如果某个网站的数据库被盗,我的电子邮件帐户将不会同时被盗。

One reason is that most users have the same password for multiple accounts. An unhashed password means my accounts on other sites could become compromised - especially since email is a common field for logins. By hashing passwords, if a site has their db stolen I'm protected from having my email account compromised at the same time.

尸血腥色 2024-08-18 05:58:32

大多数用户会在多个系统中重复使用密码。如果攻击者闯入您的系统,您不希望他能够使用您的数据闯入您在不同网站上的用户帐户。

此外,如果您使用用户的密码加密数据,并且仅存储密码的哈希值,那么即使攻击者获得了您的整个数据库,也无法执行任何操作,除非他可以破解哈希值。请注意,这将导致完全不可能实现“忘记密码”功能,除非您有办法使用安全答案解密数据(使其实际上成为第二个密码)

Most users will reuse passwords across multiple systems. If an attacker breaks into your system, you don't want him to be able to use your data to break into your users' accounts on different websites.

Also, if you encrypt data using the user's password, and only store a hash of the password, then an attacker won't be able to do anything even if he gets your entire database unless he can crack the hashes. Note that this would make it completely impossible to implement a 'forgot password' feature unless you have a way to decrypt the data using the security answer (making it in effect a second password)

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文