获取令牌密码_如何真正存储用户密码和api令牌（即密码）

获取令牌密码

A cliché in posts detailing password storage schemes is to finish by telling the syadmins and generalist web developers not to store credentials in-house at all. I disagree with this prescription, mostly because I understand the practical reasons that make this difficult. Identity and access management is infinitely more expensive to course-correct when you aren’t the one authenticating your users. Writing auth is tricky, yes, but not only are you otherwise resigning yourself to lock-in off the bat, the size of a company’s information security department has not historically been a good indicator of how well credentials are secured. I think the type of devs who are conscientious enough to deliberately hand over their users’ fates to the “sign in with Twitter” buttons are also conscientious enough to use Argon2 instead of SHA2, and are not going to qualify for a lot of the benefit. There’s also people like me who will outright refuse to use a site that forces them to connect some social media profile or email in order to login. You’re better off learning how to build or at least identify a passable authentication pipeline now, and leave yourself the option of expanding or modifying it based on business need later.

结束时，详细介绍密码存储方案的陈词滥调是通过告诉syadmins和通才Web开发人员不要完全在内部存储凭据来完成的。 我不同意这个处方，主要是因为我了解造成这一困难的实际原因。 当您不对用户进行身份验证时，身份和访问管理的路线校正成本将无限高昂。 编写身份验证是很棘手的，是的，但是您不仅要辞职以防万一，而且公司的信息安全部门的规模在历史上一直不能很好地证明证书的安全性。 我认为那些认真负责将用户命运转移到“使用Twitter登录”按钮的开发人员类型也足够认真使用Argon2而不是SHA2，并且没有资格获得很多好处。 还有像我这样的人将完全拒绝使用强迫他们连接一些社交媒体个人资料或电子邮件以登录的网站。 您最好现在就学习如何构建或至少确定一个可通过的身份验证管道，并让自己可以根据以后的业务需求扩展或修改它。

Before we start, let’s talk about what we’re actually preventing through well-thought-out password storage and update policies. The types of attacks you need to be seriously worried about as a developer are conditional on what you’re protecting. From a threat modeling perspective you can loosely consider three categories of web applications, when controlled for size:

在开始之前，让我们谈谈经过深思熟虑的密码存储和更新策略实际上阻止了什么。 作为开发人员，您需要认真担心的攻击类型取决于您所保护的内容。 从威胁建模的角度来看，在控制大小的同时，您可以大致考虑三类Web应用程序：

1. Applications that don’t handle money or other things of extractable monetary value (like server time, physical products, etc.).

   不处理金钱或其他可提取货币价值的事物(例如服务器时间，实物产品等)的应用程序。

2. Applications that do handle money or other things of extractable monetary value.
   确实处理金钱或其他可提取货币价值的应用程序。
3. Applications that handle cryptocurrency, which is money but with built-in money-laundering for whoever steals it.
   处理加密货币的应用程序，这是金钱，但对于任何窃取者都内置了洗钱功能。

If your product is in category #1, and you‘re not being entrusted with other apps that fall into categories #2 or #3, portions of this post may be overkill. Use your own judgement. Your resources might be better spent towards preventing SQLi, or wormable XSS, or horrible admin panel compromises, or some social engineering venue of total site compromise instead. I would still follow these guidelines anyways, because it’ll be a small amount of investment for something that’s going to be hard to change when you’ve got lots of users, but I can’t fault you for not really caring. Just remember that while you personally may not be guarding anything important, lots of your users almost certainly reuse passwords other places, and they care about your security.

如果您的产品属于＃1类别，而您没有受其他属于＃2或＃3类别的其他应用的委托，则此帖子的某些部分可能会过大。 使用您自己的判断。 您的资源可能会更好地用于防止SQLi，可蠕虫的XSS或可怕的管理面板入侵，或者用于某些社会工程场所，而不是整个站点的入侵。 无论如何，我仍然会遵循这些准则，因为在用户数量很多的情况下，这将是一笔很小的投资，而这些东西将很难更改，但是我不能责怪您没有真正的关心。 请记住，虽然您个人可能并没有保护任何重要信息，但几乎可以肯定，您的许多用户都在其他地方重用了密码，并且他们关心您的安全性。

When we get to the second category, all of those in-group memes that information security professionals parrot to each other to feel important and economically necessary actually begin to coincide with reality. As with anything else, prioritize where necessary— but I think the measures I talk about in this post are ones that can qualify as “necessary-but-not-sufficient”.

当我们进入第二类时，信息安全专业人员相互模仿以感到重要且在经济上必要的所有这些组内模因实际上开始与现实相吻合。 与其他任何事情一样，在必要时优先考虑—但是我认为我在这篇文章中谈到的措施可以被视为“必要但不充分”。

If your app is in category #3, and any implementation in this blog post is something you haven’t done or replaced with a better alternative, God help you.

如果您的应用属于第3类，并且此博客文章中的任何实现都尚未实现或没有更好的替代方法，那么上帝会帮助您。

条款1：加密散列 (Provision #1: Cryptographic Hashing)

H