A cliché in posts detailing password storage schemes is to finish by telling the syadmins and generalist web developers not to store credentials in-house at all. I disagree with this prescription, mostly because I understand the practical reasons that make this difficult. Identity and access management is infinitely more expensive to course-correct when you aren’t the one authenticating your users. Writing auth is tricky, yes, but not only are you otherwise resigning yourself to lock-in off the bat, the size of a company’s information security department has not historically been a good indicator of how well credentials are secured. I think the type of devs who are conscientious enough to deliberately hand over their users’ fates to the “sign in with Twitter” buttons are also conscientious enough to use Argon2 instead of SHA2, and are not going to qualify for a lot of the benefit. There’s also people like me who will outright refuse to use a site that forces them to connect some social media profile or email in order to login. You’re better off learning how to build or at least identify a passable authentication pipeline now, and leave yourself the option of expanding or modifying it based on business need later.

结束时，详细介绍密码存储方案的陈词滥调是通过告诉syadmins和通才Web开发人员不要完全在内部存储凭据来完成的。 我不同意这个处方，主要是因为我了解造成这一困难的实际原因。 当您不对用户进行身份验证时，身份和访问管理的路线校正成本将无限高昂。 编写身份验证是很棘手的，是的，但是您不仅要辞职以防万一，而且公司的信息安全部门的规模在历史上一直不能很好地证明证书的安全性。 我认为那些认真负责将用户命运转移到“使用Twitter登录”按钮的开发人员类型也足够认真使用Argon2而不是SHA2，并且没有资格获得很多好处。 还有像我这样的人将完全拒绝使用强迫他们连接一些社交媒体个人资料或电子邮件以登录的网站。 您最好现在就学习如何构建或至少确定一个可通过的身份验证管道，并让自己可以根据以后的业务需求扩展或修改它。

Before we start, let’s talk about what we’re actually preventing through well-thought-out password storage and update policies. The types of attacks you need to be seriously worried about as a developer are conditional on what you’re protecting. From a threat modeling perspective you can loosely consider three categories of web applications, when controlled for size:

在开始之前，让我们谈谈经过深思熟虑的密码存储和更新策略实际上阻止了什么。 作为开发人员，您需要认真担心的攻击类型取决于您所保护的内容。 从威胁建模的角度来看，在控制大小的同时，您可以大致考虑三类Web应用程序：

1. Applications that don’t handle money or other things of extractable monetary value (like server time, physical products, etc.).

   不处理金钱或其他可提取货币价值的事物(例如服务器时间，实物产品等)的应用程序。

2. Applications that do handle money or other things of extractable monetary value.确实处理金钱或其他可提取货币价值的应用程序。
3. Applications that handle cryptocurrency, which is money but with built-in money-laundering for whoever steals it.处理加密货币的应用程序，这是金钱，但对于任何窃取者都内置了洗钱功能。

If your product is in category #1, and you‘re not being entrusted with other apps that fall into categories #2 or #3, portions of this post may be overkill. Use your own judgement. Your resources might be better spent towards preventing SQLi, or wormable XSS, or horrible admin panel compromises, or some social engineering venue of total site compromise instead. I would still follow these guidelines anyways, because it’ll be a small amount of investment for something that’s going to be hard to change when you’ve got lots of users, but I can’t fault you for not really caring. Just remember that while you personally may not be guarding anything important, lots of your users almost certainly reuse passwords other places, and they care about your security.

如果您的产品属于＃1类别，而您没有受其他属于＃2或＃3类别的其他应用的委托，则此帖子的某些部分可能会过大。 使用您自己的判断。 您的资源可能会更好地用于防止SQLi，可蠕虫的XSS或可怕的管理面板入侵，或者用于某些社会工程场所，而不是整个站点的入侵。 无论如何，我仍然会遵循这些准则，因为在用户数量很多的情况下，这将是一笔很小的投资，而这些东西将很难更改，但是我不能责怪您没有真正的关心。 请记住，虽然您个人可能并没有保护任何重要信息，但几乎可以肯定，您的许多用户都在其他地方重用了密码，并且他们关心您的安全性。

When we get to the second category, all of those in-group memes that information security professionals parrot to each other to feel important and economically necessary actually begin to coincide with reality. As with anything else, prioritize where necessary— but I think the measures I talk about in this post are ones that can qualify as “necessary-but-not-sufficient”.

当我们进入第二类时，信息安全专业人员相互模仿以感到重要且在经济上必要的所有这些组内模因实际上开始与现实相吻合。 与其他任何事情一样，在必要时优先考虑—但是我认为我在这篇文章中谈到的措施可以被视为“必要但不充分”。

If your app is in category #3, and any implementation in this blog post is something you haven’t done or replaced with a better alternative, God help you.

如果您的应用属于第3类，并且此博客文章中的任何实现都尚未实现或没有更好的替代方法，那么上帝会帮助您。

条款1：加密散列 (Provision #1: Cryptographic Hashing)

Hopefully if you’re making these types of business and architectural decisions you know that passwords are not supposed to be stored as-is in your database. If you don’t, now you do. You also need to make sure that you are not, as is sometimes common, inadvertently logging or recording the passwords your users sign up with anywhere in persistent storage. A rule of thumb you can use is that if your app is writing unencrypted credentials from your users to disk at any point in the signup or login process, via a database or anything else, something needs to be fixed.

希望您在做出这些类型的业务和体系结构决策时，知道密码不应该原样存储在数据库中。 如果不这样做，现在就可以。 您还需要确保您不会(有时是常见的)疏忽地记录或记录用户在持久性存储中随处注册的密码。 您可以使用的经验法则是，如果您的应用在注册或登录过程中的任何时候通过数据库或其他任何方式将用户的未加密凭据写入磁盘，则需要进行某些修复。

The reason this isn’t done is because it’s unnecessary for your website to actually know the password. All that the site has to do during login is verify that the password your users entered is the same as the one they signed up with, which does not require that it be written down anywhere. Instead, what should be stored is the “cryptographic hash” of the password, the result of a one-way function that turns the password into a fixed-size string. When users log in again, the hash of what password they entered can be compared with the hash stored on disk. This way, if anyone gets access to or leaks the site’s datastore, they don’t have the raw passwords, they have a “hash” of the password which they must then try to reverse by running lots of possible passwords through whatever hashing algorithm you chose.

未完成此操作的原因是，您的网站实际上不需要知道密码。 该网站在登录过程中要做的全部工作就是验证用户输入的密码与他们注册时使用的密码相同，而无需在任何地方写下该密码。 相反，应该存储的是密码的“加密哈希”，这是一种单向函数的结果，该函数将密码转换为固定大小的字符串。 当用户再次登录时，可以将他们输入的密码的哈希值与磁盘上存储的哈希值进行比较。 这样，如果任何人访问或泄漏了站点的数据存储，则他们没有原始密码，就拥有密码的“哈希”，然后必须通过使用任何哈希算法运行大量可能的密码来尝试反向操作选择。

And hopefully if you’ve heard of cryptographic hashing, you’ve also heard that you shouldn’t store passwords without something called a “salt”, which is an additional random input to the hashing algorithm used to augment the hashing process. If you use a cryptographic hashing algorithm by itself, hackers can use a publicly available “rainbow table”, which is just a giant pre-computed map of passwords to hashes for that algorithm. With a random and long enough salt, each password has to be cracked individually, and hackers can’t share or generate these tables in advance.

并希望如果您听说过加密哈希，还应该听说您不应该在没有“盐”的情况下存储密码，这是用于增强哈希过程的哈希算法的附加随机输入。 如果您单独使用加密哈希算法，则黑客可以使用公开可用的“彩虹表”，它只是该算法的密码到哈希值的预先计算的巨型映射。 使用随机且足够长的密码，每个密码都必须单独破解，黑客无法提前共享或生成这些表。

Unfortunately when many web application developers choose a cryptographic hash for their password hashing they tend to choose something like SHA-1/2/3, or maybe PBKDF2. Instead, you should use a recent “password hashing algorithm” like Argon2 or scrypt. The difference between the two is manyfold:

不幸的是，当许多Web应用程序开发人员为他们的密码哈希选择加密哈希时，他们倾向于选择SHA-1 / 2/3或PBKDF2之类的东西。 相反，您应该使用Argon2或scrypt之类的最新“密码哈希算法”。 两者之间的区别有很多：

1. PHAs are designed to be difficult to perform, and regular cryptographic hashing algorithms are designed for speed. The magic of AWS or my botnet can try trillions of SHA1 hashes after an hour for a couple hundred dollars. Using a good password hashing algorithm can cripple that to maybe hundreds of thousands, and allows you to specify how much RAM, parallelization, and CPU time to use so that the algorithm is maximally difficult but still feasible for the hardware you run it on. A 100ms delay is almost unnoticable to users who are signing in, but paralyzing to someone that has to try 50,000 other options before they get to “p@ssw0rd2!” in their wordlist.PHA被设计为难以执行，而常规加密哈希算法则被设计为提高速度。 一个小时之内，AWS或我的僵尸网络的魔力就可以尝试数百亿美元的SHA1散列值几百美元。 使用良好的密码哈希算法可能会使该数量减少到数十万，并且允许您指定要使用多少RAM，并行化和CPU时间，因此该算法虽然非常困难，但对于运行它的硬件仍然可行。 登录的用户几乎看不到100ms的延迟，但是却对必须尝试50,000个其他选项的用户感到麻木，然后才能进入“ p @ ssw0rd2！”。 在他们的单词表中。
2. While not usually important in this context, some PHAs feature better side-channel consideration. Side-channel attacks are means by which you can glean sensitive information from the implementation side effects of a cryptographic operation, like through timing information, power consumption, or hardware usage. Normally, these require local access on the machine and intimate knowledge of hardware, but not always.尽管在这种情况下通常并不重要，但某些PHA具有更好的侧信道考虑。 边信道攻击是一种手段，您可以通过这种手段从加密操作的实现副作用中收集敏感信息，例如通过定时信息，功耗或硬件使用情况。 通常，这些功能需要在计算机上进行本地访问并具有对硬件的深入了解，但并非总是如此。
3. PHAs are also designed to limit assymetry in the hash power of attackers and regular users. In the case of SHA1/2/3, specific ASIC (application specific integrated circuit) chips are sometimes developed to perform massive amounts of hashes at one time. Password hashing algorithms attempt to limit the advantage that can be gained through this approach, and make cracking proportional to the amount of general purpose hardware that the attacker has.还设计了PHA，以限制攻击者和常规用户的哈希能力中的不对称性。 在SHA1 / 2/3的情况下，有时会开发特定的ASIC(专用集成电路)芯片来一次执行大量的散列。 密码哈希算法试图限制可以通过这种方法获得的优势，并使破解与攻击者拥有的通用硬件的数量成比例。

As opposed to the standard SHA3+Salt scheme, password hashing algorithms make database password dumps almost as difficult to leverage as online password cracking attacks, where the attacker just tries different logins with a bot via your login page.

与标准的SHA3 + Salt方案相反，密码哈希算法使数据库密码转储几乎与在线密码破解攻击一样难以利用，在这种情况下，攻击者仅通过您的登录页面尝试通过漫游器进行不同的登录。

条款2：使用安全可靠的密钥进行对称加密 (Provision #2: Symmetric Encryption with a well-secured key)

Another cliché in password storage how-to’s is to first give encryption as an example of a bad solution, before introducing password hashing and presenting it as the correct alternative. Guess what? There’s no reason you can’t do both. You can start by hashing the passwords users give you to signup, and then before storing or retrieving those hashes, encrypt or decrypt them with a site-wide key.

密码存储方法的另一个陈词滥调是，首先引入加密作为不良解决方案的示例，然后再引入密码哈希并将其呈现为正确的替代方法。 你猜怎么了？ 没有理由你不能两者都做。 您可以首先对用户提供给您的注册密码进行哈希处理，然后在存储或检索这些哈希之前，使用站点范围的密钥对它们进行加密或解密。

Sometimes its suggested to me that because the one has some datastore service (Heroku PostgreSQL, Amazon S3) that “encrypts all database contents at rest”, using a second decryption key is unnecessary. The problem is that your users table is not encrypted from your application. Those features are for keeping a few types of compromises of Heroku or AWS or Google Cloud Platform from leading to database dumps, but they don’t help keep it secure from people who find a SQL injection, unsecured admin panel, or employee laptop. Manual decryption prevents the hackers that get sideways access to your datastore from being able to grab the hashes in the first place, even if they’re making the same SQL select statements that your team does in your application code.

有时，它向我建议，因为该服务具有一些“静态存储所有数据库内容”的数据存储服务(Heroku PostgreSQL，Amazon S3)，因此无需使用第二个解密密钥。 问题是您的用户表未从应用程序加密。 这些功能是为了防止Heroku或AWS或Google Cloud Platform遭受某些类型的破坏而导致数据库转储，但它们并不能帮助确保找到SQL注入，不安全的管理面板或员工笔记本电脑的人的安全。 手动解密可防止横向访问您的数据存储的黑客从一开始就获取哈希，即使他们正在与您的团队在应用程序代码中执行SQL select语句相同。

Then it’s suggested that this is pointless, because whatever attacker that compromises a password database almost certainly has access to the key used to decrypt those password hashes during login. This is historically not correct; the adobe breach indicated many terrible things about Adobe’s security, but the key used to (AES-ECB, regrettably) encrypt their passwords were never found. I think this underlies a misconception about how this is done in practice: you shouldn’t store the key used to encrypt items in your database in that database. If you do, that really does mitigate a lot of the benefit. Pass the key into your app via an environment variable, and use whatever credential management solution (Hashicorp Vault, etc.) you’ve got going to store Postgres passwords or API keys to store the decryption key long term.

然后建议这样做是没有意义的，因为几乎所有破坏密码数据库的攻击者都可以访问在登录期间用来解密那些密码哈希的密钥。 这在历史上是不正确的； Adobe的安全漏洞表明了Adobe的安全性方面有很多可怕的事情，但从未找到用于加密其密码的密钥(遗憾的是，AES-ECB)。 我认为这对实践中的操作方式有一个误解：您不应该在数据库中存储用于加密数据库中项目的密钥。 如果这样做，确实可以减轻很多好处。 通过环境变量将密钥传递到您的应用中，并使用您将要存储Postgres密码或API密钥的任何凭据管理解决方案(Hashicorp Vault等)来长期存储解密密钥。

条款3：注册限制 (Provision #3: Signup restrictions)

Password requirements get a bad rap — and generally they’re implemented poorly — but the idea is sound. The best way to ensure a password isn’t cracked is to use a good password. So don’t let your users use “qazwsxedc” as a password, or else your fancy hashing is useless (at least for those really uncooperative users). The real problem with these requirements is that the site is only loosely approximating “entropy of the password” through their 8-characters-and-one-number-and-one-special-character rules. People hate these naive measures of password strength, and rightly so; whenever I generate a 64 character alphanumeric password for KeePassXC, and it gets rejected, I immediately wonder what the devs were smoking.

密码要求受到了恶意的抨击-通常实施得很差-但是这个主意是合理的。 确保不破解密码的最好方法是使用一个好的密码。 因此，请不要让您的用户使用“ qazwsxedc”作为密码，否则您的花式哈希是无用的(至少对于那些真正不合作的用户而言)。 这些要求的真正问题在于，该站点仅通过其8个字符，一个数字和一个特殊字符的规则来大致近似“密码的熵”。 人们讨厌这种幼稚的密码强度测量方法，这是正确的； 每当我为KeePassXC生成64个字符的字母数字密码而被拒绝时，我立即想知道开发人员在吸烟什么。

The solution here is simple. Now that you’re using a good, password hashing algorithm, and it will take most good solid attackers around ten millisecond per password try, just download a wordlist of the top ten million passwords or so. It doesn’t really matter that it’s representative of your users in particular, so long as its compiled from actual leaks, because we can afford five million or so in buffer. When your customers try to use a password on that list, reject it and explain that it’s on this file.

这里的解决方案很简单。 既然您使用的是一种很好的密码哈希算法，那么每一次尝试密码，大多数优秀的可靠攻击者都将花费大约十毫秒的时间，只需下载大约一千万个密码的单词列表即可。 只要它是从实际泄漏中编译出来的，就可以特别代表您的用户，这并不重要，因为我们可以负担500万左右的缓冲区。 当您的客户尝试使用该列表上的密码时，请拒绝该密码并说明该密码在此文件中。

People might complain about not knowing in advance whether or not their password is blacklisted while they signup, but this way you can be sure that your users are at least not going to be using one of those first ten million common passwords if someone gets the hashes. Perhaps you will be unlucky and your users will concentrate around the next couple million and some site-specific ones, but for the most part you’ll ensure that even uncooperative users’ passwords take days to be cracked cold, assuming the attacker managed to get the decryption key.

人们可能会抱怨说，他们在注册时不知道自己的密码是否已列入黑名单，但是通过这种方式，您可以确定，如果有人得到了哈希值，您的用户至少不会使用前一千万个通用密码之一。 也许您会很不幸，并且您的用户将集中在接下来的几百万个和一些特定于站点的用户上，但是在大多数情况下，您将确保即使不合作的用户密码也需要花费几天的时间才能被破解，前提是攻击者设法获得了成功。解密密钥。

And by this point you’ve basically removed most of the danger that comes from offline password cracking attacks. If I know someone is using this scheme, I’m more worried about the attack vector that was used to dump the users table than I am the actual passwords that got leaked in the process. Or other data like API tokens or “reset password” nonces that should be hashed but aren’t. That’s not going to prevent the media from publishing news articles pushing the free credit monitoring like crazy, though, so maybe keep diligently using those prepared statements.

至此，您基本上已经消除了脱机密码破解攻击带来的大部分危险。 如果我知道有人正在使用此方案，则我比在该过程中泄漏的实际密码更担心用于转储用户表的攻击媒介。 或其他数据(如API令牌或“重置密码”随机数)应进行散列，但不应进行散列。 但是，这并不能阻止媒体发布新闻文章，从而疯狂地推动免费信贷监控，因此，请继续努力使用准备好的陈述。

条款4：HIBP (Provision #4: HIBP)

This one might be controversial, but I’m putting it here anyways.

这可能会引起争议，但是我还是把它放在这里。

Password reuse is now your largest remaining problem when it comes to securing user credentials, if you’ve been following this guide so far. Other, less savory sites are going to eventually leak plaintext or SHA1 versions of passwords associated with the same email address or username that’s your users signed up with. Most of your users will have dozens of accounts on dozens of different sites, and unless you’re a cryptocurrency exchange (and thus clearly not in need of this guide, right?) most of them will not use password managers.

如果您到目前为止一直在遵循本指南，那么在保护用户凭据方面，密码重用是您最大的难题。 其他较差的网站最终将泄漏与用户注册时使用的相同电子邮件地址或用户名关联的密码的纯文本或SHA1版本的密码。 您的大多数用户将在数十个不同的站点上拥有数十个帐户，除非您是加密货币交易所(因此显然不需要本指南，对吗？ )，因此大多数用户将不会使用密码管理器。

Have I Been Pwned is a site that keeps a database of 500 million breached passwords, and it is updated regularly with new breaches. I suggest, if your users’ password shows up clear on the initial 10M wordlist, that at signup you check that it doesn’t exist in this database via their published, no-rate-limit API. The API works by asking you to SHA1 hash your password, and send it the first 5 characters of the hexadecimal representation. It will respond in turn with the SHA1 hashes of every password in its database that has that prefix, which you can check for exact matches. This way, according to HIBP, by performing this lookup you don’t have to give them your password directly — you just give the SHA1 prefix, which could be the prefix to annnyyyything. They even allow you to set fixed padding, so an observer can’t make a guess at which section of the database you’re looking at based on how large the response is.

“我曾经被封过吗”是一个站点，该站点保留有5亿个被破坏密码的数据库，并且会定期根据新的违反情况进行更新。 我建议，如果您的用户密码清楚地显示在最初的10M单词列表中，请在注册时通过其发布的无速率限制API来检查该数据库中是否不存在该密码。 该API的工作原理是要求您对SHA1哈希密码，然后将其发送为十六进制表示形式的前5个字符。 它将依次响应数据库中每个带有该前缀的密码的SHA1哈希，您可以检查这些密码是否完全匹配。 根据HIBP的说法，通过这种方式，您无需直接向他们提供密码-您只需提供SHA1前缀即可，该前缀可以是annynyyything的前缀。 它们甚至允许您设置固定的填充，因此观察者无法根据响应的大小来猜测正在查看的数据库部分。

Obviously some people will grumble at the imagined scenario of having their nice new Argon2 hashes partially compromised, because maybe an attacker who can connect these queries to accounts, can maybe throw out every possible password that doesn’t have a cousin with 3BC0F as a SHA-prefix. But I think this is more than worth it. There are a couple things about this service that mitigate this risk (and a couple things you can do to further mitigate it):

显然，有些人会对他们的漂亮的Argon2新哈希部分受到破坏的设想情况感到不满，因为也许将这些查询连接到帐户的攻击者可能会抛出与3BC0F作为SHA的表亲不相关的所有可能的密码。 -字首。 但是我认为这是值得的。 此服务有几项措施可以减轻这种风险(您可以采取几项措施进一步减轻风险)：

1. The HIBP people seem like pretty standup guys. I trust them. Don’t you?HIBP人似乎很漂亮。 我相信他们是不是
2. There aren’t any API keys required to access this endpoint, which means HIBP doesn’t necessarily have to know it’s you who’s calling. If HIBP keeps logs of these queries (I sure hope they don’t), and they ever get leaked, it’s an extra step to tie them to your service based on IP address or some other metadata. It’s also an extra step to tie them to a particular session. You can even try to proxy your connection, if you want to be extra about it.不需要任何API密钥即可访问此端点，这意味着HIBP不必一定知道您在呼叫谁。 如果HIBP保留了这些查询的日志(我希望它们不会)，并且曾经泄漏，那么这是将IP地址或其他元数据基于您的服务绑定的又一额外步骤。 将他们绑定到特定会话也是一个额外的步骤。 如果您想获得更多的信息，甚至可以尝试代理您的连接。

3. If you don’t keep logs of these queries (please don’t), it’s somewhat unrealistic for any attacker to be able to time-correlate signups with what you asked for on the HIBP API. Without those logs that you keep and they steal, the fact that you asked if the user had a password of “X” but also maybe “Y” and “Z” that one time is just not very helpful info.

   如果您不保留这些查询的日志(请不要保留)，那么对于任何攻击者而言，能够将注册与您在HIBP API上要求的时间进行时间关联是不现实的。 没有您保留的那些日志并被他们窃取，您询问用户是否输入密码“ X”，但同时也可能输入“ Y”和“ Z”这一事实并不是非常有用的信息。

4. You’re not actually letting users sign up with these passwords. Sure, they might just append them with a 1 or ! once you reject them and move on, but your attacker has to deal with finding the several dozen mutations surrounding the hashes in HIBP’s database rather than just the password itself.您实际上并不是在让用户使用这些密码进行注册。 当然，他们可能只是在它们后面加上1或！ 一旦您拒绝了它们并继续前进，但是您的攻击者必须处理在HIBP数据库中围绕哈希值找到几十个突变的问题，而不仅仅是密码本身。
5. Nothings in their TOS says you can’t throw out a random string or five to HIBP every time you check a password, just to keep them on their toes.他们的服务条款中没有任何内容说您每次检查密码时都不能向HIBP扔一个随机的字符串或五个，只是为了让他们保持警惕。

Again, use your own judgement, but in return, any password your user might have gotten leaked in the past, or that another person used and got leaked in the past, they won’t use on your service. Can’t ask for easier, more thorough password reuse prevention than that.

同样，请使用您自己的判断，但作为回报，您的用户过去可能泄露的任何密码，或者另一个人过去使用并泄露的密码，他们将不会在您的服务上使用。 没有比这更容易，更彻底的密码重用预防了。

The cliche response that you shouldn’t store passwords is hinting at something, though, and I think it’s that you shouldn’t leave your users with just one form of authentication. If you are a #2 service, encourage your accounts to have a second factor of authentication setup: ideally a Yubikey, but barring that Duo or Timed One-Time-Passwords. A password can be as random as you want, but ultimately they will be compromised through a number of different ways that have often little to do with your site’s security. I don’t think I’ve ever even heard of someone leaking Google Authenticator or Authy keys. It just never happens. Don’t let this inevitably lost nonce be instead the only barrier between me and total account takeover.

您不应该存储密码的陈词滥调暗示了某些事情，我认为您不应该只给用户一种身份验证。 如果您是＃2服务，则鼓励您的帐户进行身份验证设置的第二个因素：理想情况下是Yubikey，但禁止使用Duo或定时一次性密码。 密码可以随意随意设置，但最终它们会通过多种与您的网站安全无关的不同方式受到破坏。 我认为我什至从未听说过有人泄露Google Authenticator或Authy密钥。 只是永远不会发生。 不要让这种不可避免地丢失的随机数成为我与总帐户接管之间的唯一障碍。