应如何安全地存储网络托管的密码?

发布于 2024-09-07 14:03:44 字数 475 浏览 11 评论 0原文

可能的重复:
对数据库中的纯文本密码进行加密/哈希处理

最近,我发现主要网络托管公司以明文形式存储用户的密码,甚至在尝试验证用户身份时要求用户提供密码的最后 4 位数字。这似乎是极其错误的并且充满了安全问题。我相信他们这样做的原因只是为了帮助识别用户。

  1. 安全存储用户密码的正确方法是什么?安全可靠地识别用户而不询问用户密码(例如通过电话)的正确方法是什么?
  2. 谷歌搜索了一下后,似乎很多人都抱怨一些流行的网络托管提供商使用明文方法。许多网络托管提供商真的使用这种明文方法来存储密码吗?有哪些流行的网络主机可以安全地存储用户的个人信息?

Possible Duplicate:
Encrypting/Hashing plain text passwords in database

Recently, I discovered that major web hosting companies store their users' passwords in plaintext and even ask for the last 4 digits of the user' password when trying to verify their identity. This seems vitally wrong and full of security problems. I believe their reason for doing this is to simply help in identifying users.

  1. What is the correct way to securely store users' passwords? And what is the correct way to safely and securely identify users, without asking for their passwords (e.g. over the phone)?
  2. After Googling for a little bit, it seems that many people have complained that several popular web hosting providers use the plaintext method. Can it really be true that that many web hosting providers use this plaintext method of storing passwords? What are some popular web hosts that do securely and safely store their users' personal information?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

梦醒灬来后我 2024-09-14 14:03:44

1a) 不存储用户的密码,仅存储其(加盐的)哈希值。当用户登录时,对他们提供的密码进行哈希处理,并将其与您存档的哈希值进行比较。如果您不知道用户的真实密码,就无法损害其安全性。

1b) 通过电话安全地识别用户是很困难的,您将付出的努力取决于未经授权访问帐户的“危险”程度。我的银行账户要求我使用我的家庭、工作或手机号码(我已提前列出)拨打电话。您可以要求呼叫者验证您存档的随机选择的帐户信息(例如帐号、帐单邮政编码、中间名首字母、出生日期、信用卡号的第七位数字等)。某些基于电话的系统具有与普通密码/PIN 不同的每用户 PIN 码。您可以通过短信向呼叫者的手机发送一次性密码,并要求他们在一定时间内将其输入系统。我见过的更安全的系统之一使用 Verisign 的 VIP Mobile 应用程序生成一次性密码。 (当然如果有人偷了你的手机,也没有多大帮助)

2)我怀疑信息是否公开。如果有一个不安全地存储用户帐户信息的公司列表,它将兼作“请破解我”列表,而这些公司将受到入侵尝试的打击。

1a) Don't store the user's password, only a (salted) hash of it. When a user logs in, hash the password they provide and compare it against your archived hash. If you don't know the user's real password, you can't compromise its security.

1b) It's difficult to securely identify a user over the phone, and the level of effort you'll make will depend on how "dangerous" unauthorized access to the account would be. My bank accounts require me to call from my home, work, or cell numbers (which I have listed with them in advance). You can ask the caller to verify randomly-selected pieces of account information that you have on file (like account number, billing zipcode, middle initial, date of birth, the seventh digit in the credit card number, etc). Some phone-based systems have a per-user PIN number that is different from the normal password/PIN. You can send the caller a one-time passcode to their mobile phone via text message, and require them to enter it into the system within some time limit. One of the more secure systems I've seen uses Verisign's VIP Mobile app to generate one-time passcodes. (of course if someone steals your mobile phone, it doesn't help much)

2) I doubt that information is publicly available. If there was a list of companies that insecurely store user account info, it would double as a "please hack me" list and those companies would get slammed by intrusion attempts.

无悔心 2024-09-14 14:03:44

关于#1 - 正确的方法是根本不存储密码。相反,存储密码的加盐哈希值。

至于在不询问密码的情况下安全地识别用户,这是一个有点棘手的问题。您可能用来识别它们的任何内容本质上都会成为另一个密码(与第一个密码具有相同的存储问题)。实际上,大多数服务都会使用其他一些个人信息 - soc 的最后 4 位数字。秒。号码、母亲的婚前姓名或“安全问题”。但几乎可以肯定,所有这些都不如好的密码安全。

Regarding #1 - The correct way to do it is to not store the passwords at all. Instead, store a salted hash of the password.

As for safely identifying users without asking for their passwords, that's a bit of an intractable problem. Anything you might use to identify them in essence becomes another password (with the same storage problems as the first one). Practically speaking, most services would use some other bit of personal information - last 4 digits of soc. sec. number, mothers maiden name, or a "security question". All of these are almost certainly less secure than a good password though.

一萌ing 2024-09-14 14:03:44

您通常根本不想存储密码——您存储加盐密码的哈希值。当他们想要登录时,您对他们提供的密码进行加盐和散列,并将结果与​​存储的散列进行比较。

You generally don't want to store the password at all -- you store a hash of the salted password. When they want to log in you salt and hash what they supply as the password, and compare the result to the stored hash.

最好是你 2024-09-14 14:03:44

解决您问题的第一部分:根本不要存储密码。存储密码的哈希值(加盐)。

为了通过电话识别他们,我可能会让他们首先提前验证电话号码,然后将其与他们可以定义的秘密问题结合使用。

遗憾的是,许多主机不安全地存储密码。我没有足够的经验来评论这方面的好主人。

Addressing the first part of your questions: Do not store the password at all. Store a hash of the password, salted.

For recognizing them over the phone, I'd probably have them first verify a phone number in advance, and then use that in combination with a secret question they can define.

Many hosts don't securely store passwords, sadly. I don't have enough experience to comment on good hosts in that regard.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文