blocks|key|1781944|text|您并没有真正说明您所询问的是哪个系统。Mac提供了Keychain+Services来处理这种秘密存储。This+question谈到了视窗系统的等价物。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|1781945|entityMap|0|LINK|mutability|MUTABLE|url|http://developer.apple.com/mac/library/DOCUMENTATION/Security/Reference/keychainservices/Reference/reference.html|1|https://stackoverflow.com/questions/442923/windows-equivalent-of-os-x-keychain^0|P|H|0|1G|D|1|0^^$0|@$1|2|3|4|5|6|7|N|8|@]|9|@$A|O|B|P|1|Q]|$A|R|B|S|1|T]]|C|$]]|$1|D|3|-4|5|6|7|U|8|@]|9|@]|C|$]]]|E|$F|$5|G|H|I|C|$J|K]]|L|$5|G|H|I|C|$J|M]]]]

You didn't really say which system you're asking about. Mac OS X provides <a href="http://developer.apple.com/mac/library/DOCUMENTATION/Security/Reference/keychainservices/Reference/reference.html" rel="nofollow noreferrer">Keychain Services</a> to handle this kind of secret storage. <a href="https://stackoverflow.com/questions/442923/windows-equivalent-of-os-x-keychain">This question</a> talks about the Windows equivalent.

blocks|key|1835619|text|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1835620|+msn+messenger和其他软件如何提供一种方法来记住磁盘上的密码，然后将其发送到服务器进行身份验证？|blockquote|1835621|1835622|1835623|他们加密，存储，然后在加载时解密。正确的做法是使用DPAPI将密钥绑定到Windows用户的登录上。(这之前是使用“受保护的存储”来完成的。)|offset|length|1835624|这仍然不是“安全的”，就好像你可以以该用户的身份登录一样，没有什么能阻止你解密它。但至少与将“秘密”密钥单独内置到应用程序中的常见方法相比，它降低了风险。|1835625|entityMap|0|LINK|mutability|MUTABLE|url|http://en.wikipedia.org/wiki/Data_Protection_API^0|0|0|0|0|P|5|0|0|0^^$0|@$1|2|3|-4|4|5|6|T|7|@]|8|@]|9|$]]|$1|A|3|B|4|C|6|U|7|@]|8|@]|9|$]]|$1|D|3|-4|4|5|6|V|7|@]|8|@]|9|$]]|$1|E|3|-4|4|5|6|W|7|@]|8|@]|9|$]]|$1|F|3|G|4|5|6|X|7|@]|8|@$H|Y|I|Z|1|10]]|9|$]]|$1|J|3|K|4|5|6|11|7|@]|8|@]|9|$]]|$1|L|3|-4|4|5|6|12|7|@]|8|@]|9|$]]]|M|$N|$4|O|P|Q|9|$R|S]]]]

<blockquote>
 How can msn messenger and others provide a way to remember password on disk and then send it to the server for authentication later?
</blockquote>

They encrypt it, store it, then decrypt it on loading. The ones that are doing it properly will be using <a href="http://en.wikipedia.org/wiki/Data_Protection_API" rel="nofollow noreferrer">DPAPI</a> to tie the keys to a Windows user's login. (This was previously done using ‘Protected Storage’.)

This still isn't “secure” as such, as if you can log in as that user there's nothing stopping you decrypting it. But at least it reduces the risk compared to the common approach of having the ‘secret’ key built into the app alone.

blocks|key|480613|text|您可以使用应用程序中硬编码的“秘密”双向密钥来加密密码。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|480614|是的，可以对您的程序进行反向工程(具有不同程度的难度，但绝不是不可能的)来发现内部密钥。这是没有办法的。|480615|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

You encrypt the password using a "secret" two-way key hardcoded in your application.

And yes, your program could be reverse engineered (with various levels of difficulty, but never impossible) to discover the internal key. There's no way around that.

blocks|key|428308|text|你不能这么做。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|428309|准确地说，您不能编写一个直接将密码安全地写入磁盘，然后在不要求任何外部输入的情况下提取该密码的程序。如果你的程序能做到这一点，那么另一个程序也能做到。沿着这些思路，你所能期望的最好结果就是混淆。|428310|在更具限制性的场景中，您可以做一些聪明的事情(智能卡？TPM？是否存在集中的“钥匙链”？)这一点你可能无法假设。|428311|我的观点是:这没什么大不了的。绝对应该有一个不为公共机器保存密码的选项，否则您可能只需要以明文形式存储它们。也许你用一些微不足道的方式混淆了它，这样攻击者至少需要知道他们在做什么，但为此做大量的工作是没有意义的。|428312|entityMap^0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|J|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|K|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|L|8|@]|9|@]|A|$]]|$1|F|3|G|5|6|7|M|8|@]|9|@]|A|$]]|$1|H|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|I|$]]

You can't.

To be precise, you can not write a program which directly writes a password to disk securely and then proceeds to extract that password without asking for any external input. If your program can do it, so can another. The best you can hope for along these lines is obfuscation.

There are clever things you could do in more restrictive scenarios (smartcards? TPM? existence of a centralized "keychain"?) which you probably can not assume.

My opinion: it isn't a big deal. There should absolutely be an option to not save passwords for public machines, but otherwise you might as well just store them in plaintext. Maybe you obfuscate it in some trivial way so that an attacker at least needs to know what they're doing, but there's no point in doing a lot of work for it.

blocks|key|1835537|text|简而言之，它不会。根据软件的不同，它可能会加密磁盘上的密码。我认为firefox用保存的密码做了类似的事情。但是，这只会混淆密码。由于程序还必须将加密密钥存储在磁盘上，因此可以找到该密钥并将其用于解密密码。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1835538|这个问题有两种可能的解决方案：|1835539|1835540|第一个是简单地要求用户输入密码。密钥链类型的程序通常在释放存储的密码之前要求用户输入密码。因此，来自用户的口令可用于加密口令文件。这个系统的好处是可以使用单个密码来聚合系统中的所有其他密码(而不是让用户记住每个密码)。|unordered-list-item|1835541|第二个是使用大多数现代商业计算机(特别是膝上型计算机)中的TPM安全芯片。这是一种硬件设备，理论上允许您安全地存储加密密钥。这样，您就可以安全地存储加密密钥。然而，你必须依赖于硬件设备以及整个软件基础设施来支持它(你不能孤立地使用它，我不相信)。|1835542|1835543|你选择如何解决这个问题取决于你想要做什么。如果您正在编写messenger客户端，那么使用某种类型的简单加密和存储在其他地方的加密密钥来保存密码可能是很好的。根据您使用的平台，应该有相应的库。如果您正在为HBI数据开发某种类型的数据库，那么您将希望找到一种利用TPM芯片的用途。如果您的平台有某种类型的keyring应用程序，那么如果可能的话，您可能想要使用它。|1835544|entityMap^0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|O|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|P|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|Q|8|@]|9|@]|A|$]]|$1|E|3|F|5|G|7|R|8|@]|9|@]|A|$]]|$1|H|3|I|5|G|7|S|8|@]|9|@]|A|$]]|$1|J|3|-4|5|6|7|T|8|@]|9|@]|A|$]]|$1|K|3|L|5|6|7|U|8|@]|9|@]|A|$]]|$1|M|3|-4|5|6|7|V|8|@]|9|@]|A|$]]]|N|$]]

In short, it doesn't. Depending on the software, it may encrypt the password on disk. I think firefox does something like this with saved passwords. However, this only obfuscates the password. Since the program must also store the encryption key on the disk, then it can be located and used to decrypt the password.

There are two possible solutions to this problem:

<ul>
<li>The first is to simply ask the user to enter a password. Keychain type programs usually ask the user for a password before releasing the stored passwords. Thus, the password from the user can be used to encrypt the passwords file. The benefit of this system is a single password can be used to agregate all other passwords in the system (as opposed to having the user remember each one).</li>
<li>The second is to use a TPM security chip found in most modern business computers (especially laptops). This is a hardware device that theoretically allows you to store encryption keys securely. In this way, you can store the encryption key securely. However, you must depend on the hardware device as well as an entire software infrastructure ot support it (you can't just use it isolation I don't believe).</li>
</ul>

Your choice of how to attack this problem depends on what you're trying to do. If you're writing a messenger client, then you're probably just fine saving the password using some type of simple encryption with an encryption key stored elsewhere. Depending on what platform you're using there should be libraries for this. If you're developing some type of data vault for HBI data, you'll want to find a use to utilize the TPM chip. If your platform has some type of keyring application, you'd probably want to use that if possible.

blocks|key|1779811|text|它们要么以未加密或对称加密的方式保存，要么以散列方式保存并以相同的方式将其发送到服务器，而不关心实际密码是什么。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1779812|edit：关于这个答案的评论当然是正确的。存储和发送散列肯定不是这样做的。谢谢你的更正。|offset|length|style|BOLD|1779813|entityMap^0|0|0|4|0^^$0|@$1|2|3|4|5|6|7|J|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|K|8|@$D|L|E|M|F|G]]|9|@]|A|$]]|$1|H|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|I|$]]

They either save it unencrypted or with symmetric encryption, or they save it hashed and send it to the server the same way, not caring what the actual password is.

edit: The comments on this answer are correct, of course. Storing and sending the hash is surely not how it's done. Thanks for the correction.

blocks|key|428257|text|通常存储在本地的密码是加密的，因为它使黑客更难破解...然而，由于解密它的密钥在同一台机器上(在IM内部)，这种加密永远不会是防弹的。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|428258|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

Usually passwords stored locally are encrypted, to it makes it harder to hack... however since the key to decrypt it is in the same machine (inside the IM) this encryption is never bullet proof.

blocks|key|428412|text|我不知道特定的IM客户端使用什么，但如果是我，我会使用challenge/response+authentication。这样，密码就不会通过网络发送。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|428413|entityMap|0|LINK|mutability|MUTABLE|url|http://en.wikipedia.org/wiki/Challenge-response_authentication^0|R|X|0|0^^$0|@$1|2|3|4|5|6|7|L|8|@]|9|@$A|M|B|N|1|O]]|C|$]]|$1|D|3|-4|5|6|7|P|8|@]|9|@]|C|$]]]|E|$F|$5|G|H|I|C|$J|K]]]]

I don't know what the particular IM clients use, but if it was me, I'd use a <a href="http://en.wikipedia.org/wiki/Challenge-response_authentication" rel="nofollow noreferrer">challenge/response authentication</a>. This way the password is never sent over network.

blocks|key|1835503|text|只需在您的客户端应用程序中以与在服务器上相同的方式进行散列，您就可以消除以这种方式发送实际密码的需要。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1835504|显然，您必须在发送时再次散列您的散列，否则散列将成为密码，但您可以在服务器上执行相同的操作。在身份验证消息中使用一些随机令牌。|1835505|Additions它真的不像评论看起来那么难理解：|offset|length|style|BOLD|1835506|如果您采用原始密码(明文)，将其与MAC地址、电子邮件地址、用户名或任何您可以在服务器上重现的内容连接在一起，您就是在对密码进行加盐处理，并存储相对安全的哈希。|1835507|在身份验证时，您不仅发送此散列，因为这将完全违背散列过程的目的，您将随机生成一个现时值，并将其与第一个散列连接起来，然后再次进行散列。然后在服务器上获得随机数和新的散列，用于验证服务器端的散列，从而验证最初输入的明文密码，而无需存储或传输它。|1835508|entityMap^0|0|0|0|9|0|0|0^^$0|@$1|2|3|4|5|6|7|P|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|Q|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|R|8|@$F|S|G|T|H|I]]|9|@]|A|$]]|$1|J|3|K|5|6|7|U|8|@]|9|@]|A|$]]|$1|L|3|M|5|6|7|V|8|@]|9|@]|A|$]]|$1|N|3|-4|5|6|7|W|8|@]|9|@]|A|$]]]|O|$]]

just hash it the same way in your client app as you do on the server, you can eliminate the need to ever send the actual password that way.

obviously you'll have to hash your hash again when sending, otherwise the hash becomes tha password, but you can do the same on the server. Use some random token inside the authentication message.

Additions It's really not as hard to grok as the comments make it seem:

If you take the original password (plaintext) concatenate it with something like a MAC address, or email address, or username, or whatever you can reproduce on the server, you are salting the password and storing a relatively secure hash. 

Upon authentication you do not just send this hash because that would defeat the purpose of the hashing process entirely, you randomly generate a nonce and concatenate that with the first hash before hashing again. then on the server, you get the nonce and the new hash, which you use to validate your server side hash, hence validating the originally entered plaintext password, without ever storing or transfering it.

How can msn messenger and others provide a way to remember password on disk and then send it to the server for authentication later?
I searched for this topic and found a couple solutions such as BCrypt. However it stores hashed value and i can't send it to the server to authenticate. 
Others suggested do not save but that is not very practical as i will have to ask user to enter password everytime my app starts which is very annoying

how does IM remember password securely?

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

教程

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云智能顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云AI代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

功能1上新10个字符

功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符。

功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符。

功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符

功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符

功能4上新

文章&问答评论现已支持表情

全新交互，全新视觉，新增快捷键、悬浮工具栏、高亮块等功能并同时优化现有功能，全面提升创作效率和体验

社区富文本编辑器全新改版！诚邀体验～ 

精选全网热门MCP server，让你的AI更好用 🚀

💥开发者 MCP广场重磅上线！

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

聚焦“写作效率、视觉美观与运行性能”三方面进行全面升级，为您提供更高效、稳定的创作环境

社区富文本&Markdown编辑器全新改版上线，欢迎大家体验!

诚挚邀请您参与本次调研，分享您的真实使用感受与建议。您的反馈至关重要，感谢您的支持与参与！

社区新版编辑器体验调研

msn messenger和其他如何提供一种方法来记住磁盘上的密码，然后将其发送到服务器进行身份验证？我搜索了这个主题，找到了一些解决方案，比如BCrypt。但是，它存储散列值，并且我不能将其发送到服务器进行身份验证。其他人建议不要保存，但这不是很实用，因为我必须要求用户输入密码，每次我的应用程序启动时，这是非常恼人的

问即时通信IM如何安全地记住密码？
EN

回答 9

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问即时通信IM如何安全地记住密码？EN

回答 9

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问即时通信IM如何安全地记住密码？
EN