在发送到数据库之前将密码存储在字符串中 [英] Storing a password in a string before sending to database
问题描述
我正在努力学习一些处理密码的好习惯.我将提供我的项目中的一些代码片段,并解释我担心和好奇的事情.
I'm trying to learn some good practice for handling passwords. I will supply some code snippets from my project and explain what I'm worried and curious about.
让我们从获取用户输入的代码开始,我的按钮事件代码:
Lets start with the code that gets the user input, my button event code:
string username = txtUser.Text;
string password = Hash.EncryptString(txtPass.Text);
我的想法是,将密码以明文形式存储在字符串中可能是不好的做法?我知道这可能不是解决方案(特别是因为我将它以明文形式发送到另一个方法,然后无论如何将它存储在一个字符串中),但在这里我正在调用我创建的一个方法将密码转换为哈希.Hash"类中的 EncryptString 方法:
Here my idea is that, storing a password in a string in clear text is probably bad practice? I'm aware this is probably not the solution to that (especially since I'm sending it in clear text to another method which then stores it in a string anyway), but here I'm calling a method I've created to make the password into a hash. The EncryptString method in the "Hash" class:
public static string EncryptString(string text) {
var sha1 = System.Security.Cryptography.SHA1.Create();
var inputBytes = Encoding.ASCII.GetBytes(text);
text = ""; //clear string
var hash = sha1.ComputeHash(inputBytes);
var sb = new StringBuilder();
for (var i = 0; i < hash.Length; i++)
sb.Append(hash[i].ToString("X2"));
return sb.ToString();
}
这里就不多说了,我用 SHA1 加密对密码进行了哈希处理.我认为使用它后清除字符串是明智的,以便不再存储密码?
So not much to say here, I make a hash of the password with SHA1 encryption. I thought it would be smart to clear the string after I used it so that the password isn't stored anymore?
稍后在我验证或添加用户的代码中,我正在获取或创建一个唯一的盐并将其与散列密码混合并再次使用 EncryptString 方法,然后再提交到数据库.
Later in the code where I'm authenticating or adding the user, I'm getting or creating a unique salt and mixing it with the hashed password and using the EncryptString method again, before comitting to the DB.
以隐私和安全的名义,这是好的做法吗?或者更确切地说,目前我的代码中存在哪些漏洞,我该如何修复它们?
In the name of privacy and security, is this good practice? Or rather, what vulnerabilities are in my code at the moment and how can I fix them?
推荐答案
这里有两个问题:
- 你所知道的——堆中未受保护的内存,以及
- 你不知道的那个——你不应该散列密码使用 SHA1.
让我们解决两个问题:
(1) 许多安全人员会推荐 SecureString 来保护你的堆内存.然而,事实证明 SecureString 并不像宣传的那么好.如果您想了解原因,可以在 youtube 上观看此 SecureString 设计审查.它很长,但非常棒,你真的只需要看 10 或 15 分钟就能看到它的问题.
(1) Many security people will recommend SecureString to protect your heap memory. However, it turns out that SecureString is not quite as good as advertised. If you want to understand why, you can watch this SecureString design review on youtube. It is long, but it is excellent, and you really only need to watch 10 or 15 minutes to see the issues with it.
在 Web 应用程序的特定上下文中,您可以尝试各种技巧来防止明文密码在内存中,但最终您会从 请求对象.您无法控制该请求对象的垃圾收集.拿到手后试图保护记忆就像将创可贴放在筛子上一样.
In the specific context of a web application, you can try all sorts of stunts to prevent cleartext passwords from being in memory, but at the end of the day you are getting the object as a string from a Request Object. You have no control over the garbage collection of that Request Object. Trying to protect the memory after you get your hands on it is analogous to putting band-aids on a sieve.
底线:别担心.您无法修复该框架固有的问题.
Bottom line: don't worry about it. You can't fix that problem, which is inherent to the framework.
(2) 您对密码存储的想法在 十大开发者加密错误.
(2) Your ideas for password storage are falling under #4 in Top 10 Developer Crypto Mistakes.
Troy Hunt 有一篇出色的文章展示了如何密码是由可以访问数据库的人破解的,以及如何使用 bcrypt 或 pbkdf2(bcrypt 更好)防止此类攻击.
Troy Hunt has an excellent article showing how passwords are cracked by one who gets access to the database, and how to prevent such attacks by using bcrypt or pbkdf2 (bcrypt is better).
这篇关于在发送到数据库之前将密码存储在字符串中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
