问题
I'm working to a security system for a web application - admin section. If one admin want to make some important changes in application he will need to a answer to a security question.
My question is: the answer to this question should be hashed in database?
Also, I'm thinking to give to the administrators posibility to change their question/answer but admin could do this just if he confirm his identity using password. Is this a good approach?
回答1:
Hashing it is a great idea, in my opinion. As no one really needs to know it other then the original user, so better to keep that more of a "Secret" from just prying eyes.
As far as the ability to change it, that is a great idea as well, and requiring him/her to enter their password to change it is another good security approach.
I think you are on the right track with your thinking.
回答2:
Yes, but be sure to normalize it before hashing - lowercase it, consider removing all characters that aren't alphanumeric, etc. If I enter "ceejayoz" as my question, it should probably accept " CEEJAYOZ " as well.
来源:https://stackoverflow.com/questions/5747154/should-security-question-answers-be-hashed