ASP.Net会员节省了更改后的口令为纯文本,即使散列了passwordFormat集 [英] ASP.Net Membership saves changed password as plain text even with Hashed passwordFormat set
问题描述
我使用的是ASP.Net的SqlMembershipProvider来管理我的用户。下面是我的配置:
I'm using the ASP.Net SqlMembershipProvider to manage my users. Here is my config:
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="SiteDatabase"
applicationName="WPR"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="true"
passwordFormat="Hashed" />
</providers>
</membership>
我的问题是这样的:当我打电话Membership.CreateUser创建新用户,密码存储在数据库中的散列格式与盐 - 这是所有好。然而,当我打电话Membership.ChangePassword在管理的功能,它是存储在纯文本格式的密码。我实在无法理解这种行为,因为它们的配置明明写着散列,并创建一个新用户创建一个哈希密码。
My problem is this: when I call Membership.CreateUser to create new users, the password is stored in the DB in hashed format with a salt - which is all good. However, when I call Membership.ChangePassword in an admin function, it is storing the password in plain text format. I really cannot understand this behaviour, since the config clearly says "Hashed" and creating a new user creates a hashed password.
推荐答案
在默认ASPMembership提供商的的ChangePassword()
方法,为现有用户的密码格式从数据库中检索,是用于连接$ C $格式CA现有用户新密码,不是在设置密码格式的web.config
,这可能现在指定不同的格式来使用。您可以通过看到自己的下载源code默认提供 。
Within the ChangePassword()
method of the default ASPMembership provider, the password format for an existing user is retrieved from the database and is the format used to encode a new password for an existing user, and not the password format that is set in web.config
, which may now specify a different format to use. You can see this for yourself by downloading the source code for the default providers.
我的问题是,然后,被存储在谁已经有明文存储密码的用户明文密码?您可以通过检查了passwordFormat字段的值在表中的用户 aspnet_Membership
容易检查。这些值是:
My question is then, is the password being stored in clear text for a user who already had a password stored in clear text? You can check this easily by checking the value of the PasswordFormat field for the user in table aspnet_Membership
. The values are:
Clear = 0,
Hashed = 1,
Encrypted = 2,
编辑:
如果你需要自己哈希明文密码框架code可能会派上用场。
if you need to hash clear passwords yourself, the framework code may come in handy
// generate a salt
public string GenerateSalt()
{
byte[] buf = new byte[16];
(new RNGCryptoServiceProvider()).GetBytes(buf);
return Convert.ToBase64String(buf);
}
// hashes the password, using the supplied salt
public string HashPassword(string pass, string salt)
{
byte[] bIn = Encoding.Unicode.GetBytes(pass);
byte[] bSalt = Convert.FromBase64String(salt);
byte[] bAll = new byte[bSalt.Length + bIn.Length];
byte[] bRet = null;
Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
// this assumes a Hashed password (PasswordFormat = 1)
HashAlgorithm s = HashAlgorithm.Create( Membership.HashAlgorithmType );
bRet = s.ComputeHash(bAll);
return Convert.ToBase64String(bRet);
}
现在,你只需要拉从数据库中的所有记录,其中的了passwordFormat = 0,运行它们通过一个控制台应用程序来散列密码,并保存盐,哈希密码到数据库,以及更新了passwordFormat场1
now you just need to pull all records from the database where the PasswordFormat = 0, run them through a console app to hash the password and save the salt, hashed password to the database, as well as update the PasswordFormat field to 1
这篇关于ASP.Net会员节省了更改后的口令为纯文本,即使散列了passwordFormat集的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!