Remember how the password design is better?

Title, Want to know

1. Remember how passwords are designed to be better, including features
2. Security Implications of password preservation
3. What to keep in a cookie.
4. How to encrypt cookies to ensure security

Hope can be detailed.

Reply content:

Title, Want to know

1. Remember how passwords are designed to be better, including features
2. Security Implications of password preservation
3. What to keep in a cookie.
4. How to encrypt cookies to ensure security

Hope can be detailed.

You can emulate Google's design.

1. Remember the user name almost permanently, and the password needs to be re-entered at intervals.
2. Login tokens are stolen (tokens can be encrypted user names, passwords, or simply the random number of server responses), allowing hackers to log in even without a password. " (The former may be a permanent pirate, the latter depends on the time, the service strategy)
3. It is best not to save usernames, passwords, even encrypted. Save only one token that is completely randomly generated. The service not only saves tokens, but also stores information such as IP, useragent, etc., once it has been changed, or expires (for example, 8 hours), requires a re-entry of the password.
4. The best "Encryption" is not a secret. All the secrets are on the service side, and it's no use getting tokens.

Remember, do not encrypt is safe, even if the algorithm itself can not be cracked, the attack is a lot of phase. If the user name password simple encryption can be used as the sole procured of the log, then this Chimi "itself" is can be used to log the plaintext.

Replenishment: Absolute security cannot exist, so a login is not guaranteed to be secure, but it is possible to guarantee that it will not introduce new vulnerabilities by the logging system itself.

Simple, you can encrypt the user name to save the line, such as Md5+salt, if you want to be more secure, you can add an expiration time

