如何针对盐和散列的密码和用户名对用户进行身份验证? [英] How to authenticate user against salted and hashed password and username?
问题描述
我正在开发.net Web api项目,需要在用户表中存储添加了盐分和哈希值的用户名和密码.
如果用户名和密码字段在用户表中随机散列并且盐存储在用户的同一行中,我将如何对用户进行身份验证?我想念什么吗?似乎我无法找到用户进行密码比较.
它们本身不是随机散列的.它们针对相同的密钥进行哈希处理.因此,要进行身份验证,您需要对输入的凭据重复进行哈希处理,然后将该哈希与用户存储的哈希进行比较.
另一种选择是使用内置的成员身份提供商为您处理身份验证.
您对散列的实际要求实际上是很难解决的要求.如您所确定的,您将没有什么可用来标识该用户的.结果,您将不得不使用一些排序数据(例如IP,用户代理字符串等)来做出最佳猜测.但是,这将是非常危险的.
最终,用户名用于标识用户是谁,而不是对该用户进行身份验证.如果您有从不显示用户名或以其他方式保护用户名的安全要求,请让他们使用其名字或其他标识符登录,以免出现用户名.最终,您必须查找用户记录,并且对用户名进行哈希处理只会增加难度,并且不会为您提供任何真正的安全优势.
可以在此处找到其他值得阅读的安全性
I am developing a .net web api project and need to store usernames and passwords salted and hashed in a users table.
How would I authenticate the user if the username and password fields are random hashed in the users table and the salts are stored in the same row for the user? Am I missing something? It seems as if I would have no way to find the user to do a password comparison.
They are not random hashed per se. They are hashed against the same key. As a result, to authenticate, you would need to repeat the hashing process for inputted credentials and compare that hash to the user's stored hash.
An additional option is to use the built in Membership providers to handle the authentication for you.
Your actual requirement of hashing both is actually a very difficult requirement to solve for. As you identified, you would have nothing to identify that user by. As a result, you would have to resort to using some sort data such as IP, user agent string, etc to make a best guess. However, this would be incredibly dangerous.
At the end of the day, usernames are for identifying who the user is, not authenticating that user. If you have security requirements to never display the username or otherwise protect the username, instead show them logged in with their first name or other identifier so that the username is not exposed. At the end of the day you HAVE to find the user record and hashing the username only makes that harder and doesn't provide you any real security benefits.
Additional worthwhile security reading can be found here
这篇关于如何针对盐和散列的密码和用户名对用户进行身份验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
