如何将用户密码存储到另一个 Web 应用程序
我正在构建一个网络应用程序,向用户展示其 Gmail 活动的有趣可视化(他们最常向谁发送电子邮件等)。显然,用户需要向我提供他的 Gmail 密码才能使用该应用程序,我想知道应该如何存储它:
- 以明文形式存储 Gmail 密码。有风险!
- 根本不存储 Gmail 密码;强制用户每次想要同步数据时都输入它。可能不方便!
- 在存储 Gmail 密码之前对其进行加密。我的应用程序的用户密码是关键。
像(3)这样的东西似乎是最好的,但是对于(3)我只能在用户登录时同步数据(因为我在任何其他时间都不知道他的应用程序密码),这并不理想。我更喜欢类似于 Mint.com 的解决方案,用户可以随时单击按钮从 Gmail 同步数据无需重新输入密码(知道 Mint 如何在不存储您的银行密码的情况下完成此操作吗?)
I'm building a web application that shows users interesting visualizations of their Gmail activity (who they're emailing the most, etc). Obviously the user needs to give me his Gmail password to use the application, and I'm wondering how I should store it:
- Store the Gmail password in plaintext. Risky!
- Don't store the Gmail password at all; force the user to enter it every time he wants to sync data. Potentially inconvenient!
- Encrypt the Gmail password before storing it. The user's password to my application is the key.
Something like (3) seems best, but with (3) I can only sync data when the user logs in (since I won't know his password to my application at any other time), which isn't ideal. I'd prefer a Mint.com-like solution whereby the user can click a button to sync data from Gmail at any time without re-entering his password (any idea how Mint accomplishes this without storing your banking passwords?)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
截至 4 天前(好时机!)Gmail 支持 OAuth 通过 IMAP 访问邮件数据。这意味着您的应用程序永远不需要查看用户的密码。 文档包含库和示例代码。
As of 4 days ago (good timing!) Gmail supports OAuth for accessing message data through IMAP. This means your apps never needs to see users' passwords. The documentation includes libraries and sample code.
您正在从事一项非常危险的账户聚合业务。 Yodlee 为 Mint 进行帐户聚合,事实上 Mint 并不像 WhirlWind 建议的那样存储银行密码。 Mint 将其卸载给 Yodlee,后者可以存储或与银行机构进行某种安全集成。我的建议是不要存储密码并让用户每次都输入密码,或者使用谷歌允许您使用的有限 OAUTH。不确定您是否可以从中获得所有分析。
You are getting into a very risky business of account aggregation kind of deal here. Yodlee does the account aggregation for Mint, and in fact Mint does not store the banking passwords as WhirlWind suggests. Mint offloads it to Yodlee who may store or could have some kind of secure integration with banking institutions. My advice is to not store the passwords and let the users enter it everytime or use the limited OAUTH that google lets you use. Not sure if you can get all you analytics from this.