用密码加密哈希 [英] Salt in a hash with password

问题描述

 RNGCryptoServiceProvider rng =  new  RNGCryptoServiceProvider（）; 
  byte  [] saltByte =  new   byte  [ 8 ]; 
 
 rng.GetBytes（saltByte）; 
 
  string  salt = Convert.ToBase64String（saltByte）; 
 
 SHA512Managed hashing =  new  SHA512Managed（）; 
 
  string  hash = textboxpassword.text + salt; 
 
  byte  [] bytes = Encoding.Unicode.GetBytes（hash）; 
 
  byte  [] hash = hashing.ComputeHash（bytes）; 
 
哈希= Convert.ToBase64String（hash1）; 

这是我的样本数据，是我的盐哈希？

密码 -  P3w1VyHK0PgLmWdCuG4pzCOuTK2 / xMrK2UC2S7ZBJy45NC34r9uf3qRODtw9m287tMQfo4QAB5TuFwvc9E / 4cg == 
 
盐 -  
 drYJ2AJJNBc = 

解决方案

当然它是：你已经明确地把它放入输入数据。

没有。然而，它确实使您的加密数据具有相当强的加密性 - 因为您使用随机盐值并且似乎没有保存它 - 这将使您几乎不可能对其进行解码，除非您将整体存储在某处 - 其中有点打败这一点，真的。



使用salt的想法不是为了增加加密的强度，而是为不同的用户加密不同的文本：所以，如果你的50个用户拥有相同的密码，你就无法通过使用相同的密码告诉它是什么 - 盐意味着加密的值不同。



我在这里提出两点建议：将密码与一些独特的信息（例如用户号甚至用户ID）相结合，并将其用作加密值。用户数据的唯一性确保相同的值不会生成相同的输出。

其次，不要加密密码。永远。请改为使用它们：密码存储：如何操作。 [< a href =http://www.codeproject.com/Tips/186585/Password-Storage-How-to-do-ittarget =_ blanktitle =New Window> ^ ]

RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
                        byte[] saltByte = new byte[8];
                       
                        rng.GetBytes(saltByte);

                        string salt = Convert.ToBase64String(saltByte);

                        SHA512Managed hashing = new SHA512Managed();

                        string hash = textboxpassword.text + salt;

                        byte[] bytes = Encoding.Unicode.GetBytes(hash);

                        byte[] hash = hashing.ComputeHash(bytes);

                        hashes = Convert.ToBase64String(hash1);

Here is my sample data, is my salt in the hash?

Password - P3w1VyHK0PgLmWdCuG4pzCOuTK2/xMrK2UC2S7ZBJy45NC34r9uf3qRODtw9m287tMQfo4QAB5TuFwvc9E/4cg==

Salt -
drYJ2AJJNBc=

解决方案

Of course it is: you have explicitely put it into the input data.

No. It does however make your encrypted data pretty strongly encrypted - since you use a random salt value and don't appear to save it - which is going to make it pretty much impossible for you to decode it unless you store the whole has somewhere - which kinda defeats the point, really.

The idea of using a salt is not to increase the strength of the encryption, but to make the same text encrypted for different users different: so if 50 of your users have the same password you can't tell what it is by using the same one - the salt means that the encrypted value is different.

There are two suggestions I would make here: combine the password with some unique information (such as the user number or even userID) and use that as the value to encrypt. The uniqueness of the user data ensures that identical values don't generate the same output.
Second, don't encrypt passwords. Ever. Hash them instead: Password Storage: How to do it.[^]

这篇关于用密码加密哈希的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！