我应该加密数据库中的 OpenID 吗?

发布于 2024-09-29 14:13:01 字数 88 浏览 10 评论 0原文

我将 OpenID 存储到数据库中,这样我就可以非常快速地登录用户。我应该在数据库中对它们进行加密吗?

另一个问题是,它们是否被视为“敏感”信息?

I am storing OpenIDs into a database so I can log in users very quickly. Should I be encrypting them in my database?

An alternative question would be, are they considered 'sensitive' information?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

两人的回忆 2024-10-06 14:13:02

与另一个答案相反:。这样做没有意义。

要访问帐户,必须首先通过 OP 进行身份验证。没有任何方法可以通过简单地知道标识符(仅此而已)来以某种方式闯入某人的帐户。

OpenID 协议在设计上允许用户将其标识符放置在非常明显的位置(例如他们的主页),而几乎没有额外的风险。如果标识符是“敏感”信息,则不可能委托 OpenID。

如果您的数据库已被泄露这一事实意味着攻击者可以访问所有身份,那么 OpenID 将非常非常不安全(事实并非如此)。

OpenID 标识符只是指向提供商的 url。从这些信息中,除了用户声称的身份之外,您无法推断出任何其他信息(如果是定向身份,则甚至不能推断出用户的身份)。

您可以问自己:“我应该加密登录吗?”
如果您的答案是正确的 - 加密标识符,因为它们没有什么不同。
如果是假的,那就别打扰了。

Contrary to another answer: No. There's no point in doing it.

To get access to an account, one must first authenticate with the OP. There is no method to somehow break into someone's account by simply knowing an identifier (and only that).

The OpenID protocol, by design, allows users to place their identifiers in very obvious places (like their homepage) with little additional risk. If identifiers were meant to be 'sensitive' information, it wouldn't be possible to delegate OpenIDs.

If the fact that your database has been compromised would imply that an attacker has access to all the identities, OpenID would be really, really insecure (and it isn't).

The OpenID identifier is only a url pointing at a provider. From this information, you can't infer anything more than who the user claims to be (and in case of directed identity, not even that).

You could ask yourself: "Should I be encrypting logins?"
If your answer is true -- encrypt the identifiers, because they are no different.
If it's false, then don't bother.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文