关于简单的无数据库登录系统,StackOverflow有很多问题。 当我想到的时候,我正打算在最近的一个方面建议一个盐渍哈希方法:“这样做真的有意义吗?”。
我多年来一直在数据库中存储盐渍哈希,我理解为什么它更安全:如果数据库被泄露,它所包含的信息将不允许任何人登录我的系统(不像我在那里存储纯文本密码) D b)。
但是在不涉及数据库的设置中,哈希+ salting是否提供任何安全性好处? 我能想到的唯一原因是,如果攻击者获得对我的服务器端代码的只读访问权限,则无法找出任何密码。 这可能是一种情况吗? 因为一旦攻击者获得对文件的写访问权限,他就可以做任何事情。
所以我的问题是:在设置非常简单的无数据库登录系统时,密码应该被加盐/散列,还是仅存储为纯文本?
There are many questions on StackOverflow about simple, database-less login systems. I was about to suggest a salted hash approach on a recent one, when I thought: "does it really make sense to do that?".
I have been storing salted hashes on databases for years, and I understand why it's more secure: if the database is compromised, the information it contains won't allow anyone to log into my system (unlike if I were storing plain text passwords in the db).
But in a setup that does not involve a database, does hashing+salting offer any security benefits? The only reason I can think of is, if an attacker gains read-only access to my server-side code, it won't be possible to figure out any passwords. Is this a likely scenario? Because as soon as the attacker gains write access to the files, he can do anything.
So my question is: when setting up very simple, database-less login systems, should passwords be salted/hashed, or just stored as plain-text?
最满意答案
我想如果你能找到答案,“我的源代码是否明显不太可能被攻击者读取,而不是数据库?”,那么问题就会得到解答。
我建议它不是 - 也许你的来源不太可能泄漏,这取决于事情是如何备份的等等。即便如此我怀疑它泄漏的可能性更小,你可以忽略风险,因为你这样做不要忽视数据库的相同风险。 数据库中的密码应该被加盐/散列的原因并不是数据库的某些特殊属性意味着攻击者可以查看其内容[*],而是攻击者可以通过这种或那种方式查看各种事物。
实际上,源代码甚至可能比数据库更容易泄漏,因为在系统上工作的任何人都可能需要访问源,而不是每个在系统上工作的人都需要访问实时DB的内容。 并不是说我认为你的开发人员是不诚实的(如果他们是,你的问题比密码泄漏更糟),只是围绕共享源的物流可能引入更多(或者只是不同)的方式,它可能会意外泄漏,而不是围绕备份的后勤一个DB。
就个人而言,在您的情况下,我会在服务器上创建一个包含散列/盐渍密码的小文件,而不是其他任何内容。 安装应用程序的不同实例的用户可以生成他们自己的此文件版本,包含他们自己的密码,与实际的应用程序代码分开。 他们应该使用与源代码相同的写访问限制来锁定它。
无论您将此文件称为“只读数据库”还是“服务器代码的一部分”都不会影响攻击者查看它的容易程度,尽管它可能会影响您是否将密码称为“硬编码” ”。
[*]当然存在特殊数据库,SQL注入攻击或其他任何特殊的潜在缺陷。 这些并不是数据库中密码应该被加盐和散列的决定性原因。
I think the question is answered for you if you can figure out the answer to, "is my source code significantly less likely to be read by an attacker, than is a database?".
I would suggest that it is not -- perhaps your source is somewhat less likely to leak, depending how things are backed up etc. Even so I doubt that it's so much less likely to leak that you can neglect the risk, given that you do not neglect the same risk for databases. The reason that passwords in database should be salted/hashed isn't that there's some special property of databases that means attackers can view their contents[*], it's that attackers can get a look at all kinds of things, one way or another.
In fact source code might even be more likely to leak than a database, given that anyone working on the system might need access to the source, whereas not everyone working on a system necessarily needs access to the contents of the live DB. Not that I think your developers are dishonest (if they are, you have worse problems than the password leaking), just that the logistics around sharing source might introduce more (or just different) ways it can accidentally leak, than the logistics around backing up a DB.
Personally, in your situation I would create a small file on the server containing the hashed/salted password and approximately nothing else. Users installing different instances of the app can generate their own versions of this file, containing their own password, separate from the actual application code. They should lock it down with the same write-access restrictions as they do the source code.
Whether you call this file "a read-only database" or "part of the server code" doesn't affect how easy it is for an attacker to view it, although it might affect whether you refer to the password as "hard-coded".
[*] of course there are potential flaws that are special to particular databases, SQL injection attacks or whatever. Those are not the decisive reason why passwords in databases should be salted and hashed.
更多推荐
发布评论