我一直认为将密码作为纯文本存储在数据库中是(正如这里其他人所说的)非常糟糕的事情™.

I've always been of the impression that storing passwords in a database as plain text is (as someone else here put it) a Very Bad Thing™.

从历史上看，我们的大部分服务器端编码需求都外包给了一组程序员.它们以纯文本形式将密码存储在 MySQL 数据库中.

Historically, most of our server-side coding needs have been contracted out to a group of programmers. They store passwords in MySQL databases in plain text.

作为常驻代码猴子(顺便说一句，这是第一个在这里工作的精通服务器端的猴子，所以我继承了地球，可以这么说)我有一个肚子感觉这是我的流浪汉当这种纯文本废话被利用时就行了.

As the resident code monkey (incidentally, the first server-side-savvy monkey to work here, so I'm inheriting the earth, so to speak) I have this pit of the stomach feeling that it's my bum that will be on the line when this plain text nonsense is exploited.

我试图向我的老板解释纯文本密码是多么糟糕，但我突然明白了:我想我从来没有真正知道为什么它们如此糟糕.除了给你的黑客一张白银盘上的密码列表之外，还有更多的事情吗?这对我来说听起来已经够糟糕的了，但是在 la-la 的土地上，我们的网站是安全的"并且不受任何黑客的攻击，这个论点似乎并没有削减它.我怎样才能说服(或吓唬)我的老板要求在他珍贵的网站上进行散列?

I tried to explain to my boss how very very bad plain text passwords are, but it dawned on me: I don't think I've ever really know why they're so bad. Is there more to it than handing your hackers a list of passwords on a silver platter? That sounds bad enough for me, but in la-la land, where our websites are "secure" and impervious to any hacker, this argument doesn't seem to cut it. How can I convince (or scare) my boss into demanding hashing on his treasured websites?

相关:加密/哈希纯文本密码在数据库

推荐答案

在军队中被称为纵深防御".理论是，你可以强化每一层，而不是只强化一层并希望它就足够了.

In the military it's called "Defense in Depth". The theory is that you harden every layer you can rather than hardening just one layer and hoping it's enough.

我听说像您这样的数据库被称为外面坚硬，里面柔软耐嚼".专门的黑客可以通过一百万种方式访问​​您的数据库.社会工程、心怀不满的员工、决定查看他的登录是否仍然有效的前雇员，或者他编写的后门是否仍然存在，一个错过的操作系统补丁......这个列表还在继续.

I've heard databases like yours called "hard on the outside, soft and chewy on the inside". There are a million ways a dedicated hacker can get access to your database. Social engineering, a disgruntled employee, an ex-employee who decides to see if his login still works, or that backdoor he wrote is still there, one missed OS patch... the list goes on.

如果不良行为者通过这些方法中的任何一种获得访问权限，他不仅可以获取数据，还可以访问系统中每个用户的每个用户名/密码组合，正如有人指出的那样，人们经常使用相同的组合对于每个网站.因此，您的黑客出去并拥有数百人的 Paypal、电子邮件和银行帐户.

If a bad actor gets access through any of these methods, instead of just getting the data, he gets access to every username/password combination of every user of your system, and as someone pointed out, people often use the same combo for every website. So your hacker goes out and owns hundreds of people's Paypal, email, and bank accounts.

我已经画了一幅足够可怕的画面了吗?

Have I painted a gruesome enough picture yet?