我是否应该出于任何原因允许超级管理员查看用户的信息?通过用户界面输入密码?
目前我正在开发一个具有 3 个角色的应用程序:1 个用于客户,1 个用于公司员工,另一个用于超级管理员。
允许超级管理员用户通过 UI 查看/编辑用户密码是一个好习惯吗?还是只能直接通过DB修改?
更新:我正在使用 asp.net 会员提供商和 MySQL。因此,数据库中有一个名为my_aspnet_membership的表,它存储两个字段:Password和PasswordKey。字段PasswordKey似乎是加密的密码。但是,密码字段以纯文本形式存储。那么,如果这不是一个好的做法,谁能告诉我为什么要这样设计呢?谢谢大家的回复!
更新:对于那些询问它是否真的将密码存储在两个不同字段中的人:
Currently I am developing an application with 3 roles: 1 for customers, 1 for the company employees and another one for a Super Admin.
Is it a good practice to allow Super Admin users to see/edit the users' passwords through the UI? Or should it only be modified directly through the DB?
UPDATE: I am using asp.net membership provider and MySQL. Therefore, there is a table in the DB called my_aspnet_membership which stores two fields: Password and PasswordKey. The field PasswordKey seems to be the encrypted password. However, the Password field is stored in plain text. So, can anyone tell me why this is designed in this way if it is not a good practice? Thank you all for your responses!
UPDATE: For those who asked if it really stores the password in two different fields:
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
您的密码不应以未加密的方式存储在数据库中,因此,UI 和数据库的用户都不应看到您的密码。
至于是否可以修改,当然可以。
在这种情况下,应通过用户或管理员请求重新生成密码。同样,这应该在数据库中加密。我的偏好是自动为用户生成新密码,而不是让管理员自己输入密码。
鉴于此,直接在数据库中更改密码的唯一方法是在插入之前先对其进行加密。通过处理加密的 UI 可以更快地完成此操作。
更新
为了响应您的更新,您应该在 web.config 中指定对密码格式进行哈希处理:
如下所述:
http://msdn.microsoft.com/en-us/library/ff648345.aspx
Your password should not be stored un encrypted inside your database and as such, shouldn't be visible to users of the UI nor the database.
As for whether it should be modifyable, sure.
In this case the password should be re-generated through user or administrator request. Again, this should be encrypted in the database. My preference would be to auto generate the new password for the user rather than have an administrator type it themselves.
Given this, the only way to change the password directly in the database would be to encrypt it first before insertion. It's quicker to do this through an UI that deals with the encrypting.
UPDATE
In answer to your update, you should specify in your web.config that the password format be hashed:
as outlined here:
http://msdn.microsoft.com/en-us/library/ff648345.aspx
在任何情况下,都没有理由允许某人查看不属于他们的密码。
OP更新的更新:当然我无法知道为什么你的数据库是这样设计的。乐观地想,它包含简单的密码,这样如果用户忘记了密码,就可以将密码邮寄给他们——这是一个糟糕的借口,但不幸的是,这是一个常见的借口。更好的选择是让系统向他们邮寄一个新生成的临时密码——该密码仅允许设置永久密码(并且在更改发生之前不会销毁当前密码)。
There is never a reason to allow someone to see a password they do not own, under any circumstance.
Update for the OP Update: Of course I have no way to know why your DB was designed like this. Thinking optimistically, it contains the plain password so that if a user forgets their password it can be mailed to them -- a bad excuse, but an unfortunately common one. A better alternative is to have the system mail them a freshly generated temporary password -- one which works only to allow setting of a permanent password (and does not destroy the current password until the change occurs).
任何用户都不得查看任何其他用户的明文密码。即使在数据库中密码没有经过哈希处理,至少也必须进行加密。
您可以允许超级管理员更改任何用户的密码,但允许他以明文形式查看密码是禁忌。
编辑:您是否绝对确定密码字段以明文形式存储密码,而存在另一个密码密钥字段?因为,对我来说,这听起来类似于“盐”机制。其中,密码首先用一个密钥加密,然后用passwordkey字段重新加密。
编辑2:我现在几乎绝对确定您的数据库正在使用加盐密码。加盐密码通常用于提高数据库的安全级别。有关 salt 的更多信息,请查看此。
No user should be allowed to see the Plaintext password of any other user whatsoever. The password must be encrypted atleast if not hashed even in the database.
You MAY allow the super admin to change any user's password, but allowing him to see it in plaintext is taboo.
EDIT: Are you absolutely certain the password field stores the password in plaintext, while there exists another passwordkey field? Because, it sounds similar to a 'salt' mechanism to me. Where, the password is first encrypted with one key, and then re-encrypted with the passwordkey field.
EDIT 2: I am now almost absolutely certain that your database is using a salted password. Salted passwords are often used to increase the security level of the database. For more information on salt, check this.
您应该始终加密保存密码。因此,您不可能向超级管理员显示其他用户的密码。
You should always save passwords encrypted. Therefore you don't have any possibility to show the superadmin the password of another user.
您永远不应该将密码按原样存储在任何数据库中。始终使用哈希函数来保存密码。
You should never ever store password as is in any database. Always use a hash function to save the password.
您应该将所有密码加密保存在数据库中。而不是明文!!
You should save all passwords encrypted in DB.. Not in plaintext!!