最佳实践加密和解密的密码？ （C＃/。NET） [英] Best practices for encrypting and decrypting passwords? (C#/.NET)

问题描述

我需要存储在一个（最好是文本）文件加密密码，那我以后需要能够解密。密码是我使用的其他服务，并且需要以明文形式（通过SSL）有送。这不是我可以改变。什么是该领域的最佳实践？如何从恶意用户实现一定程度上的密码保护？

I need to store and encrypt a password in a (preferably text) file, that I later need to be able to decrypt. The password is for another service that I use, and needs to be sent there in clear text (over SSL). This is not something I can change. What are best practices in this area? How can achieve some degree of protection of the password from malicious users?

我的平台是用C＃/。NET 3.5。

My platform is WinForms with C#/.NET 3.5.

感谢。

推荐答案

我假设你要加密的密码，因为这将是用户的机器上他们将（可能）能够找到它，使用它？如果是这样你基本上拧 - 不管你做什么，因为它是在用户领域，他们将能够得到它，找出加密并获得密码加密（记住，使用反射 - 和它的克隆 - ISN T出大部分接触不到的地方），并解密它，他们有它。总之所有你做的是混淆的密码，而不是保护它。

I am assuming that you want to encrypt the password as it will be on the users machine and they will (possibly) be able to find it and use it? If so you are basically screwed - no matter what you do, since it is in the users domain they will be able to get it and figure out the encryption and get the password for the encryption (remember that using Reflector - and it's clones - isn't out of the reach of most) and decrypt it and they have it. In short all you are doing is obfuscating the password, not securing it.

我会建议实际上是其移出的用户控制。例如忍受其与客户端进行通信，并要求当安全返回密码的Web服务。这也可以让你更改密码，如果需要在未来，以及为您提供了一种方法来验证合法用户。

What I would recommend is actually move it out of the users control. For example put up a web service which communicates with the client and returns the password securely when requested. This also allows you to change the password, if needed in future as well as provides you with a way to validate legitimate users.

这篇关于最佳实践加密和解密的密码？ （C＃/。NET）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！