开发者

Storing user passwords/data in database

问答 作者:

Looking to create a database table that saves user information (primarily user and password).

  • Is the best way to hash (password) and user?
  • Should I encrypt开发者_如何学Python the name of user too?
  • If i have a table of passwords and another with users data, how i can associate/link them?

The login is not the problem, the question is how to associate the tables (table of passwords and table of data for each user)

Thanks

You basic User table would look something like this:

User Table
-------
id    username    password
1     mike        @#$90sDfsa

Where the password is a hashed version (with a salt) of my password.

You should of course hash the password before storing it. Ideally with an unique salt.

As a hash function you should not use something like SHA-*, because the cryptographic hash functions are designed to be fast. This makes it easy for someone getting the hash to try a large number of possible passwords very fast.

Use a password hash function like bcrypt which is designed to be arbitrarily slow.

The login is not the problem, the question is associate the tables (table of passwords and table of data for each user)

To associate the tables you can work with relations:

  • http://dev.mysql.com/tech-resources/articles/intro-to-normalization.html#04
  • How to create relationships in MySQL

I would store the hashed and salted password in the table with the rest of the users data. If you really want to store the passwords in a seperate table store the user id with it to associate passwords with users. In general use a strong hashing algorithim e.g. SHA251 and salt the passwords to prevent rainbow table attacks. I don't think that you should need to hash the username.

As I commented above, I would just hash the password.

Also, why are you storing users and passwords in a separate table? They are related, and should be in the same table. Data such as addresses would belong in a separate table.

You can use surrogate keys to do the relation between the tables, if you absolutely must have two tables, one with hashed/salted passwords, the other with user information.

You could have a setup like this:

CREATE TABLE users (USER_ID INTEGER, 
                    PASSWORD_ID INTEGER, 
                    USER_ATTRIBUTE VARCHAR(30));
CREATE TABLE passwords (PASSWORD_ID INTEGER, 
                        PASSWORD_HASH VARCHAR(255));

PASSWORD_ID is the surrogate key, you use it in the users table to reference the value in the passwords table. You can join the tables together with a SQL query:

SELECT * 
FROM users INNER JOIN passwords 
     ON users.PASSWORD_ID = passwords.PASSWORD_ID;

继续阅读:database-designrelational-databasesql

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9