Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
550 views
in Technique[技术] by (71.8m points)

encryption - How necessary is it to Encrypt database password field

I heard that for security issues it is advised to keep the password field encrypted in the database.

In case of my website only I can access the database. And I have no problem with me viewing others passwords as per our web site policy.

Does this applicable to my website too OR there is some other security reason behind telling this.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

The guidance is that nobody - not even the user themselves - should be able to see passwords, and that they should not be stored in the database in a way that allows them to be retrieved. This is because there are many ways in which this data can get lost - an administrator may print out a report, and leave it on their desk; an attacker might be able to use SQL injection to run database queries; someone may be able to break into your building and steal a backup tape.

Many customers use the same password on multiple sites - so if your sites is the weakest link, you may be exposing them to risks on other sites if they have re-used their passwords.

The recommendation is to use a cryptographic technique called "hashing", which takes the plaintext password and turns it into a meaningless string; there's no way to reverse the hash, which means that even if I stole the hashed password, I couldn't work out what the original, plain text was.

Hashing the same string twice gives the same hash - so when someone logs in, you hash their plaintext password, and compare it to the hash in the database.

The OWASP link provides further information on this topic, including "salting" the hash.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...