SQL Server与Hash中的哈希密码和.net中的salt [英] Hash Passwords in SQL Server vs. Hash and salt in .net

问题描述

我已经为用户注册和登录创建了一个Web登录表单。首先我发现要在数据库中安全地存储密码，我应该在.net页面上使用hash和salt。然后我开始知道在sql server Hash-bytes中还有一个函数也是哈希密码，我可以在aspx页面中存储来自表单文本框的普通密码，在sql中将这个plian文本传递给hashbyrd，然后存储它。在验证时我只是将存储的hash passowrd与用户输入的密码进行比较。



现在我想知道哪种技术更好，为什么？



删除不必要的代码标签

I have created a Web Login Form For User Signup and Login. First i found that to securely store password in database, i should use hash and salt on .net pages. Then i came to know that there is a function in sql server Hash-bytes that also hashes the password, where i can store the plain password coming form text box in aspx page and in sql insert this plian text passowrd in hashbytes and then store it. on validation i just compare the stored hash passowrd with the user entered password.

Now i want to know that which technique is better and why?

unnecessary code tags removed

推荐答案

检查这些

初学者安全指南存储密码 [ ^ ]

&

密码安全 [ ^ ]

The Art&存储密码科学 [ ^ ]

Check these
Beginners guide to a secure way of storing passwords[^]
&
Password Security[^]
The Art & Science of Storing Passwords[^]

如果要向数据库发送纯密码，则数据来自UI层，ASP.NET。因此，在到达数据库之前，它通过网络。这篇文章可以相对容易地被窃听。即使是拥有完全权限的数据库管理员，也不应该知道您的原始密码。如果有人发布了密码的哈希值，则原始密码永远不会暴露给除本地计算机之外的任何内容，甚至不会暴露给数据库。存储在数据库中的密码首先以散列形式出现;并且加密哈希函数不能反转（不要使用MD5或SHA-1，例如，使用SHA-2算法之一）。散列与散列进行比较。



有些背景，请参阅： http://en.wikipedia.org/wiki/Cryptographic_hash_function [ ^ ]。



还有一个问题：有人可能会窃听您的哈希值，然后冒充您，但这可以通过使用HTTPS协议代替HTTP来解决： http://en.wikipedia.org/wiki/HTTPS [ ^ ]。



另见我过去的答案：

我已经加密了我的密码但是当我登录时却给我一个错误。如何解密 [ ^ ] ，

解密加密密码 [ ^ ]，

存储密码值int sql server with secure方式 [ ^ ]。

-SA

If you are sending plain password to the database, the data originate in UI tier, ASP.NET. Therefore, before reaching the database, it passed through the network. This post can relatively easily be eavesdropped. No one is supposed to know your original password, even the database administrator with full privileges. If someone posts the hash of the password, the original password is never exposed to anything except your local computer, not even the database. The passwords stored in the database came in their hashed forms in first place; and the cryptographic hash function cannot be reversed (don't use MD5 or SHA-1 though, use, for example, one of SHA-2 algorithms). The hash is compared with hash.

For some background, please see: http://en.wikipedia.org/wiki/Cryptographic_hash_function[^].

One problem remains: someone could eavesdrop you hash and later impersonate you, but this is covered by using HTTPS protocol instead of HTTP: http://en.wikipedia.org/wiki/HTTPS[^].

See also my past answers:
i already encrypt my password but when i log in it gives me an error. how can decrypte it[^],
Decryption of Encrypted Password[^],
storing password value int sql server with secure way[^].

—SA

这篇关于SQL Server与Hash中的哈希密码和.net中的salt的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！