如何正确使用salted和散列密码 [英] How to correctly use salted and hashed passwords

问题描述

I'm having difficulties login in a page i've written using a salt-hashed password. Actually the code generates a 32-byte random salt taht it adds to the text inputed as password. then the hash of this is computed and stored in a table. However when one has to login, the text he inputs as password is salted with the same salt then hashed with the same hash function. if a match is detetcted then login is granted else, login is refused. I have difficulties implementing that.

Help please . my code below

我尝试过：

What I have tried:

con.Open();
string salt = SaltF(32);
string Md = @"select Username, SH from SecureUser where Username= @usrn and SH= @sh";

SqlParameter usrname = new SqlParameter();
usrname.ParameterName = "@usrn";
usrname.Value = comboBox1.Text;
SqlParameter Sha = new SqlParameter();
Sha.ParameterName = "@sh";
Sha.Value = SaltHashF(salt, textBox2.Text);

SqlCommand cmdLd = new SqlCommand(Md, con);
cmdLd.Parameters.Add(usrname);
cmdLd.Parameters.Add(Sha);

SqlDataReader dr;
int K = 0;
dr = cmdLd.ExecuteReader();
while(dr.Read())
{
    K++;
}

if (K==1)
{
    con.Close();
    MessageBox.Show("Login Successful", " ", MessageBoxButtons.OK, MessageBoxIcon.Information);
    textBox2.Clear();
    ChangePasswordPlatform cpp = new ChangePasswordPlatform();
    cpp.Tag = this;
    cpp.Show(this);
    Hide();
}
else
{
    MessageBox.Show("Invalid username or password", " ", MessageBoxButtons.OK, MessageBoxIcon.Warning);
    textBox2.Clear();
}

private static string SaltF(int size) { using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider()) { byte[] bytes = new byte[size]; rng.GetBytes(bytes); return Convert.ToBase64String(bytes); } } private static string SaltHashF(string salt, string pwd) { string PwdAndSalt = string.Concat(salt, pwd); string PwdSaltHash = Hash256F(PwdAndSalt); return PwdSaltHash; } 

推荐答案

您必须为每个用户使用相同的salt。所以为user1生成salt，让我们说salt1。然后将其添加到他们的密码并散列，然后存储salt和散列结果; hash（salt + pwd）（假设它是ABCDEFG）

You have to use the same salt with each user. So generate salt for user1, let's say "salt1". You then add that to their password and hash it then store the salt and the hashed result; hash(salt + pwd) (let's say it's ABCDEFG)

UserID, Username, Salt, Hash
1, user1, salt1, ABCDEFG

用户登录时从数据库中读取他们的盐并将其添加到他们在密码框中提供的密码并散列它以查看它是否与存储的散列匹配。

When that user logs in you read their salt from the database and add it to the password they supplied in the password box and hash it to see if it matches the stored hash.

GenerateHash(dr["Salt"] + textBox2.Text)

你的代码正在做的是每次生成新盐，所以如果你将用户1的密码加上 salt1当他们创建帐户时，然后当他们使用salt2登录盐时，生成的哈希值将不匹配



哈希（salt1+密码 ）<> hash（salt2+password）



如果你谷歌有文章，告诉你如何做到这一切。

What your code is doing is generating new salt each time so if you salt user1's password with "salt1" when they create their account then when they log in salt it with salt2 then the resulting hashes won't match as

hash("salt1" + "password") <> hash("salt2" + "password")

If you google there are articles that show you how to do all of this.

请参阅简单解释安全密码验证 [ ^ ]。

这篇关于如何正确使用salted和散列密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！