如何在asp.net中加密和解密密码 [英] how to encrypt and decrypt password in asp.net

问题描述

对不起写封面

i不知道写的问题被认为是大喊

sorry for writing in caps
i didnot know that caps writen questios are considered as shouting

推荐答案

首先：不要喊。



第二：ASP.net通常提供自动用户/角色管理（也就是说，您不必自己考虑用户数据的安全存储，只需使用会员资格东西和LoginPanel等）。有没有理由你不使用它？



第三：如果你必须手动完成，标准是存储哈希密码的密码，而不是密码的加密版本，因此不可恢复。这意味着如果有人攻击你的整个系统（或者公司的一些心怀不满的人想要搞乱它），他们就不会得到每个人的密码，即使他们知道加密算法和密钥。在检查登录是否正确时，您以与在数据库中相同的方式对密码 ¹ 进行散列，并检查它们是否匹配。在所有Web服务器上都可以获得一个像样的哈希值SHA-1。



（1：实际上，因为'彩虹表' - 基本上是保存的暴力攻击 - 你应该保存一个'salted'密码的哈希值，即在它周围添加一些文字。例如，savedPass = SHA-1（hereissomesalttext+用户名+密码）。将用户名放在那里也意味着两个用户相同的密码在数据库中不会很明显。）

First: don't shout.

Second: ASP.net generally provides automatic user/role management (that is, you do not have to think about secure storage of user data yourself, just use the Membership stuff and LoginPanel etc). Is there a reason you are not using that?

Third: If you do have to do it manually, the standard is to store a hash of the password, not an encrypted version of it, so it is non-recoverable. This means if someone hacks your whole system (or some disaffected person at the company wants to mess with it), they don't get everyone's password, even if they know the encryption algorithm and key. When checking if a login is correct, you hash the password¹ in the same way as you did in the database, and check if they match. A decent hash which is available on all web servers is SHA-1.

(1: Actually, because of 'rainbow tables' – essentially, saved brute force attacks – you should save a hash of the 'salted' password, i.e. adding some text around it. For example, savedPass = SHA-1("hereissomesalttext"+username+password). Putting the user name in there as well means that two users with the same password won't be obvious in the database.)

string pass = EncodePassword(txtPassword.Text);

public string EncodePassword(string pass)
   {
       //Declarations
       Byte[] originalBytes;
       Byte[] encodedBytes;
       MD5 md5;
       //Instantiate MD5CryptoServiceProvider, get bytes for original password and compute hash (encoded password)
       md5 = new MD5CryptoServiceProvider();
       originalBytes = ASCIIEncoding.Default.GetBytes(pass);
       encodedBytes = md5.ComputeHash(originalBytes);
       //Convert encoded bytes back to a 'readable' string
       return BitConverter.ToString(encodedBytes);
   }

看看这个提示/技巧



密码存储：怎么做。 [ ^ ]

Look at this Tip/Trick

Password Storage: How to do it.[^]

这篇关于如何在asp.net中加密和解密密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！