解密aspnet会员密码 [英] decrypting aspnet-membership password

问题描述

我正在尝试解密存储在aspnet_membership表中的密码...



我使用以下代码，

Hi,

I am trying to decrypt my password stored in aspnet_membership table...

I am using the following code,

Dim encodedPassword() As Byte = Convert.FromBase64String(password)
Dim decryptedPassword() As Byte = MyBase.DecryptPassword(encodedPassword)
If (decryptedPassword IsNot Nothing) Then
  Return System.Text.Encoding.UTF8.GetString(decryptedPassword, 0, decryptedPassword.Length)
End If

但是在DecryptPassword（encodedPassword）行，它显示错误为

but at the line of DecryptPassword(encodedPassword) it shows error as

"Length of the data to decrypt is invalid."

任何人都可以帮我修理它...

Can Anyone help me to fix it please...

推荐答案

我同意Kieth的解决方案。除此之外，我建议您在使用asp.net内置成员资格提供程序时不应解密密码。相反，当您想要比较用户输入的密码和存储在数据库中的加密（散列）密码时，您应该读取用户输入的密码，然后加密密码并将其与数据库中的密码进行比较以确保相等。

I agree with Kieth's solution. In addition to this I would suggest that you should not decrypt the password when you are using asp.net built in membership provider. Rather , when you want to compare the password entered by the user and the encrypted( hashed) password stored in the database, you should read the password entered by the user, then encrypt it and compare it with the password from the database for equality.

查看此博客

http：// forums.asp.net/p/1091709/1638361.aspx [ ^ ]

--NDK

check this blog
http://forums.asp.net/p/1091709/1638361.aspx[^]
--NDK

假设你没有对正常机制做任何事情（即你正在使用 SqlMembershipProvider ）在存储密码时你所做的事情无法正常工作。从理论上讲，您无法获取密码，因为它是 Hashed 而不是加密。



加密是一种双向算法：如果你知道相关的密钥，你就可以获得价值。



散列不同：算法生成的值对于给定的输入和键始终相同，但即使您有密钥，也无法从散列恢复该值。从技术上讲，您尝试解密的值是盐渍哈希 - 盐可以通过在密码前随机添加密码来防止有人查询表查找具有相同密码（产生相同哈希值）的人群盐。没有盐，黑客很容易通过比较未加盐的哈希来查看谁在使用常用密码。





你真的只有三个选项：



1.完全放弃 - 这可能是一个有效的选项，具体取决于你需要什么。

2.替换或子类化默认提供程序

3.如果这是您想要实现的，请使用其中一个内置机制重置密码，请参阅：http://www.asp.net/web-forms/tutorials/security/admin/recovering-and -changing-passwords-cs [ ^ ]





首先，拥有可解密的密码代表安全风险，所以我建议[sa lted]散列 - 这就是微软在其提供商中使用它的原因。

无论您是否选择继续使用Hash，您都不需要解密密码来进行更改（实际上您在评论中描述的内容）。 MembershipProvider 的实例有一个重置密码方法，它接受当前密码和新密码。检查重置密码的人在提供新密码时知道旧密码是一种很好的安全性，如果使用加密密码，则可以根据后备存储中的加密版本对提供的密码进行加密。如果您没有使用旧密码，网吧中的某个人可能会登录并离开该网站而不会结束会话，则下一个用户可以转到登录页面并提供新密码而不知道旧密码。



提供者模型允许用户在他们不知道当前密码时回答秘密问题，您可以为代码执行类似操作，而无需解密密码。 />


最后，我强烈建议您阅读： http://forums.devshed.com/security-and-cryptography-17/password-encryption-vs-hashing-398845.html [ ^ ]哪个好讨论散列和加密之间的差异和安全性比较。

Assuming the you haven't done anything to the normal mechanism (i.e. you are using the SqlMembershipProvider) when storing the password what you are doing can't work. Theoretically you can't get the password back as it is Hashed rather than encrypted.

Encryption is a two way algorith: if you know the relevant key(s) you can get the value back.

Hashing is different: The algorithm produces a value that is always the same for a given input and key, but the value cannot be recovered from a hash even if you have the key. Technically the value you are trying to decrypt is a salted hash - the salt prevents someone querying the tables from finding groups of people with the same password (which produce the same hashes) by prepending the password with random a salt. Without the salt it is easy for hackers to see who are using commonly used passwords by comparing the unsalted hashes.


You really have only three options:

1. Give up on this entirely - this might be a valid option depending on what it is you need exactly.
2. Replace or subclass the default provider
3. Use one of the built-in mechanisms to reset the password if this is what you want to acheive, see: http://www.asp.net/web-forms/tutorials/security/admin/recovering-and-changing-passwords-cs[^]


First, having a decryptable password represents a security risk, so I'd recommend [salted] hashing - this is why Microsoft use it in their provider.
No matter whether you choose to continue to Hash or not, you don't need to decrypt the password to change it (effectively what you are describing in your comment). Instances of the MembershipProvider have a reset password method which takes the current password and the new one. It is good security to check the person resetting the password knows the "old" one when supplying the new, if you are using an encrypted one you can encrypt the supplied one against the encrypted version in the backing store. If you did not take the old password, someone in an Internet cafe might log in, and leave the site without ending the session, the next user could then go to the login page and supply the new password without knowing the old.

The provider model allows a user to answer a secret question if they do not know their current password, you could do something similar for your code without needing to decrypt the password.

Finally, I strongly suggest you read this: http://forums.devshed.com/security-and-cryptography-17/password-encryption-vs-hashing-398845.html[^] which has a good discussion of the differences, and security comparison, between hashing and encryption.

这篇关于解密aspnet会员密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！