防止用户通过Firebug / Chrome开发工具查找密码
护照输入字段:
<input type="text" required="" tabindex="2" class="std_textbox" placeholder="Enter your account password." id="pass" name="pass">
当< input type =password> 更改为< input type =text> 密码被显示。在保存密码或从密码管理器生成的系统中,这可能是危险的。
When the <input type="password"> is changed to <input type="text"> The password is revealed. This can be risky in systems which have saved passwords or generated from Password managers.
可以在这里使用客户端加密吗?如何实现?
Can client side encryption be used in here? How can it be implemented?
简短的回答:不幸的是无法阻止。这是因为所有客户端代码(JavaScript)都可以由客户端自己修改,从而使基于客户端的安全系统变得脆弱。
Short answer: It can not be prevented, unfortunately. This is because all client-side code (JavaScript) is modifiable by the client itself - thus making a client-based security system vulnerable.
我可以想到的唯一可行的解决方案的是存储密码的哈希表示,而不是原始密码。这将(如果您忽略哈希暴力攻击)保持原始密码安全。
The only workable solution I can think of, is to store a hashed representation of the password, instead of the raw password. This will (if you disregard hash-bruteforce attacks) keep the raw password safe.
哈希表示原始文本,不可逆。也就是说,原始的字符串不能被任何算法检索,只使用哈希。哈希的例子是MD5和SHA。这种技术通常用在路由器中,密码通常存储在浏览器中。
A hash is a representation of the original text, and is non-reversable. That is, the original string of characters can not be retrieved by any algorithm, using only the hash. Examples of hash' is MD5 and SHA. This technique is commonly used in routers, where password often is stored in the browser.
澄清:不要将密码存储在纯文本中,如果要采用这种预先输入的密码技术;散列和/或加密必须发生在服务器端。
Clarification: Never store your passwords in plain-text, and if you want to adopt this technique of pre-entered password; the hashing and/or encryption must occur on server side.