我使用的是Mysql,我假设最好将用户的个人信息以及他们的登录名和密码分成两个不同的表,然后在这两个表之间进行引用.
注意:为澄清我的帖子,我了解保护密码(哈希,盐等)的技术.我只知道,如果我遵循生活中其他部分的做法(投资,数据备份,甚至是个人存储),那么在最坏的情况下(包括表或火灾),将信息分散在表之间可以保护您的利益.其他数据.
解决方案不存储密码.如果它曾经位于磁盘上,则可能被盗.而是存储密码哈希. 使用正确的哈希算法,例如bcrypt(包含盐). /p>
编辑:OP回复说他了解上述问题.
无需将密码存储在与登录信息完全不同的表中.如果一个数据库表被破坏,则访问同一数据库中的另一个表并不是一个很大的飞跃.
如果您充分关注安全性和深度安全性,则可以考虑将用户凭据存储在与域数据完全独立的数据存储中.通常采用的一种方法是将凭据存储在LDAP目录服务器中.这也可能对您以后进行的单点登录工作有所帮助.
I'm using Mysql and I was assuming it was better to separate out a users personal information and their login and password into two different tables and then just reference them between the two.
Note : To clarify my post, I understand the techniques of securing the password (hash, salt, etc). I just know that if I'm following practices from other parts of my life (investing, data backup, even personal storage) that in the worst case scenario (comprised table or fire) that having information split among tables provides the potential to protect your additional data.
解决方案Don't store passwords. If it's ever sitting on a disk, it can be stolen. Instead, store password hashes. Use the right hashing algorithm, like bcrypt (which includes a salt).
EDIT: The OP has responded that he understands the above issue.
There's no need to store the password in a physically different table from the login. If one database table is compromised, it's not a large leap to access another table in that same database.
If you're sufficiently concerned about security and security-in-depth, you might consider storing the user credentials in a completely separate data store from your domain data. One approach, commonly done, is to store credentials in an LDAP directory server. This might also help with any single-sign-on work you do later.
更多推荐
如何最好地存储用户信息以及用户登录名和密码
发布评论