只是出于好奇,我想知道为什么网络应用程序通常使用用户 ID 和密码。
我没有看到原因,为什么足够长的密码也不适合。例如,由服务器应用程序生成的密码。
应用程序最终也必须使用用户 ID 是否有原因?
只要密码是唯一且长的,它就可以完美地识别用户。
只是出于好奇,我想知道为什么网络应用程序通常使用用户 ID 和密码。
我没有看到原因,为什么足够长的密码也不适合。例如,由服务器应用程序生成的密码。
应用程序最终也必须使用用户 ID 是否有原因?
只要密码是唯一且长的,它就可以完美地识别用户。
For one thing, password resets would be quite complicated without user IDs.
But the real reason would be that it's not possible to use salting to protect passwords if you don't have an user ID, which means that you would effectively not really be protecting your passwords.
Here's why. Salting requires you to know the salt that was used to generate the password hash. The process is as follows:
If you don't have an user ID, you'd need to check your password against every user in your database.
This is equivalent in complexity to checking one password is against your entire database, which is something you purposefully want to make prohibitively expensive (in time or money) by design.
Web 应用程序不只使用密码的最重要原因之一是两个用户可能拥有相同的密码。
当密码是识别用户的唯一因素时,用户 A 可以使用他的密码登录,并且可以访问用户 B 的帐户而不是他自己的帐户,因为他们使用相同的密码并且系统需要选择一个用户登录在。