在SQL Server 2008中使用SHA1加密密码 [英] Encrypt passwords on Sql Server 2008 using SHA1

问题描述

我已经使用C＃，其中的用户名和密码加载主页前检查SQL Server 2008中设计了一个登录系统。我想存储的密码数据库的加密。是否有可能使用C＃和SHA1算法来做到这一点？

I have designed a Log In System using C# where the username and password is checked in SQL server 2008 before loading the main page. I wish to encrypt the stored password on the database. Is it possible to do it using C# and SHA1 algorithm?

以下是我的存储过程：

ALTER procedure [dbo].[proc_UserLogin]
 @userid varchar(20),
  @password nvarchar(50)
  As 

  declare
  @ReturnVal              varchar(500)


SET NOCOUNT ON      

  if exists(select userid,password from LoginManager where userid=@userid and password=@password)
  set @ReturnVal='0|Logged in Successfully'
  else
  set @ReturnVal='1|Login Failed/Username does not exist'

  select @ReturnVal

C＃code

C# Code

public void button1_Click(object sender, EventArgs e)
        {
            mainform = new Form1();
            string[] v;

            OleDbConnection conn = new OleDbConnection("File Name=E:\\Vivek\\License Manager\\License Manager\\login.udl");

            try
            {

                conn.Open();
                string query = "EXEC dbo.proc_UserLogin'" + username.Text+ "', '" + password.Text+"'";
                OleDbCommand cmd = new OleDbCommand(query, conn);
                string s = Convert.ToString(cmd.ExecuteScalar());
                v= s.Split('|');
                if (v[0]=="0")
                {
                    mainform.Show();
                    this.Hide();
                }
                else
                {
                    MessageBox.Show("Please enter correct user credentials and try again");
                }


             }

             catch (Exception ex)
             {
                 MessageBox.Show(ex.Message);
             }


              conn.Close();

         }

我曾问过此地其他用户类似的问题了，但他们并没有为我工作。任何人都可以提出更改code，使密码加密可以实现？

I have gone through similar questions asked by other users here, but they were not working for me. Can anyone suggest changes to the code, so that password encryption can be accomplished?

感谢

推荐答案

哈希而在C＃中盐密码

https://crackstation.net/hashing-security.htm

<一个href="https://www.bentasker.co.uk/blog/security/201-why-you-should-be-asking-how-your-passwords-are-stored" rel="nofollow">https://www.bentasker.co.uk/blog/security/201-why-you-should-be-asking-how-your-passwords-are-stored

正如我在我的评论说，散列密码是什么，你可能不应该这样做你自己。

As I stated in my comments, hashing passwords is something that you probably shouldn't be doing yourself.

有几件事情需要注意：

• 在SHA1，不建议密码
• 密码应盐腌
• 您应该使用验证userstore框架，而不是试图创建自己的，因为你很可能会这样做不对
• 我相信还有更多的

话虽这么说的，来完成你的具体问题，你会想是这样的：

That being said, to accomplish your specific question, you would want something like this:

Users
----
userId
passwordHashed

passwordHashed存储用户密码的哈希版本（明文密码不会存储任何地方的持久性。）

passwordHashed stores a hashed version of the user's password (the plain text password is never stored anywhere in persistence.)

有关检查有效的密码，这样的事情是完成的：

for checking for valid password something like this is done:

ALTER procedure [dbo].[proc_UserLogin]
 @userid varchar(20),
  @password nvarchar(50)
  As 

  declare
  @ReturnVal              varchar(500)


SET NOCOUNT ON      

  if exists(select userid,password from LoginManager where userid=@userid and password=HASHBYTES('SHA1', @password))
  set @ReturnVal='0|Logged in Successfully'
  else
  set @ReturnVal='1|Login Failed/Username does not exist'

  select @ReturnVal

有关插入/更新用户的密码，你需要确保存储哈希密码不是明文密码，因为这样;

For inserting/updating user passwords, you need to make sure to store the hashed password not the plain text password, as such;

INSERT INTO users(userId, passwordHashed) 
VALUES (@userId, HASHBYTES('SHA1', @rawPassword)

或

UPDATE users 
SET passwordHased = HASHBYTES('SHA1', @rawPassword) 
WHERE userId = @userId

编辑：

刚刚意识到你问如何完成散在C＃中，没有SQL。你可以执行以下（从采取SHA1算法的C＃哈希）：

just realized you're asking how to accomplish the hash in C#, not SQL. You could perform the following (taken from Hashing with SHA1 Algorithm in C#):

public string Hash(byte [] temp)
{
    using (SHA1Managed sha1 = new SHA1Managed())
    {
        var hash = sha1.ComputeHash(temp);
        return Convert.ToBase64String(hash);
    }
}

您code剪断可能是：

Your code snip could be:

            conn.Open();
            string query = "EXEC dbo.proc_UserLogin'" + username.Text+ "', '" + this.Hash(System.Text.Encoding.UTF8.GetBytes(password.Text))+"'";
            OleDbCommand cmd = new OleDbCommand(query, conn);

您还应该注意的是，你应该参数的参数存储过程，而不是将它们传递在你的方式 - 它看起来你已经在这方面一个单独的问题

You should also note that you should parameterize your parameters to your stored procedure rather than passing them in the manner you are - which it looks like you already have a separate question in regarding that.

这篇关于在SQL Server 2008中使用SHA1加密密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！