只是出于好奇,我想知道为什么网络应用程序通常使用用户 ID 和密码。
我没有看到原因,为什么足够长的密码也不适合。例如,由服务器应用程序生成的密码。
应用程序最终也必须使用用户 ID 是否有原因?
只要密码是唯一且长的,它就可以完美地识别用户。
问问题
64 次
2 回答
1
For one thing, password resets would be quite complicated without user IDs.
But the real reason would be that it's not possible to use salting to protect passwords if you don't have an user ID, which means that you would effectively not really be protecting your passwords.
Here's why. Salting requires you to know the salt that was used to generate the password hash. The process is as follows:
- Locate salt using the User ID in your DB
- Salt & Hash the password that was provided
- Check whether this matches the password hash you have in the DB.
If you don't have an user ID, you'd need to check your password against every user in your database.
This is equivalent in complexity to checking one password is against your entire database, which is something you purposefully want to make prohibitively expensive (in time or money) by design.
于 2013-08-27T22:19:08.013 回答
1
Web 应用程序不只使用密码的最重要原因之一是两个用户可能拥有相同的密码。
当密码是识别用户的唯一因素时,用户 A 可以使用他的密码登录,并且可以访问用户 B 的帐户而不是他自己的帐户,因为他们使用相同的密码并且系统需要选择一个用户登录在。
于 2013-08-28T06:24:56.380 回答