ASP.Net会员节省了更改后的口令为纯文本，即使散列了passwordFormat集 [英] ASP.Net Membership saves changed password as plain text even with Hashed passwordFormat set

问题描述

我使用的是ASP.Net的SqlMembershipProvider来管理我的用户。下面是我的配置：

I'm using the ASP.Net SqlMembershipProvider to manage my users. Here is my config:

<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
            <providers>
                <clear />
                <add
                    name="SqlProvider"
                    type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                    connectionStringName="SiteDatabase"
                    applicationName="WPR"
                    minRequiredPasswordLength="6"
                    minRequiredNonalphanumericCharacters="0"
                    enablePasswordRetrieval="false"
                    enablePasswordReset="true"
                    requiresQuestionAndAnswer="false"
                    requiresUniqueEmail="true"
                    passwordFormat="Hashed" />
            </providers>
        </membership>

我的问题是这样的：当我打电话Membership.CreateUser创建新用户，密码存储在数据库中的散列格式与盐 - 这是所有好。然而，当我打电话Membership.ChangePassword在管理的功能，它是存储在纯文本格式的密码。我实在无法理解这种行为，因为它们的配置明明写着散列，并创建一个新用户创建一个哈希密码。

My problem is this: when I call Membership.CreateUser to create new users, the password is stored in the DB in hashed format with a salt - which is all good. However, when I call Membership.ChangePassword in an admin function, it is storing the password in plain text format. I really cannot understand this behaviour, since the config clearly says "Hashed" and creating a new user creates a hashed password.

推荐答案

在默认ASPMembership提供商的的ChangePassword（）方法，为现有用户的密码格式从数据库中检索，是用于连接$ C $格式CA现有用户新密码，不是在设置密码格式的web.config ，这可能现在指定不同的格式来使用。您可以通过看到自己的下载源code默认提供 。

Within the ChangePassword() method of the default ASPMembership provider, the password format for an existing user is retrieved from the database and is the format used to encode a new password for an existing user, and not the password format that is set in web.config, which may now specify a different format to use. You can see this for yourself by downloading the source code for the default providers.

我的问题是，然后，被存储在谁已经有明文存储密码的用户明文密码？您可以通过检查了passwordFormat字段的值在表中的用户 aspnet_Membership 容易检查。这些值是：

My question is then, is the password being stored in clear text for a user who already had a password stored in clear text? You can check this easily by checking the value of the PasswordFormat field for the user in table aspnet_Membership. The values are:

Clear = 0,
Hashed = 1,
Encrypted = 2,

编辑：

如果你需要自己哈希明文密码框架code可能会派上用场。

if you need to hash clear passwords yourself, the framework code may come in handy

// generate a salt
public string GenerateSalt()
{
    byte[] buf = new byte[16];
    (new RNGCryptoServiceProvider()).GetBytes(buf);
    return Convert.ToBase64String(buf);
}

// hashes the password, using the supplied salt
public string HashPassword(string pass, string salt)
{
    byte[] bIn = Encoding.Unicode.GetBytes(pass);
    byte[] bSalt = Convert.FromBase64String(salt);
    byte[] bAll = new byte[bSalt.Length + bIn.Length];
    byte[] bRet = null;

    Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
    Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);

    // this assumes a Hashed password (PasswordFormat = 1)
    HashAlgorithm s = HashAlgorithm.Create( Membership.HashAlgorithmType );
    bRet = s.ComputeHash(bAll);

    return Convert.ToBase64String(bRet);
}

现在，你只需要拉从数据库中的所有记录，其中的了passwordFormat = 0，运行它们通过一个控制台应用程序来散列密码，并保存盐，哈希密码到数据库，以及更新了passwordFormat场1

now you just need to pull all records from the database where the PasswordFormat = 0, run them through a console app to hash the password and save the salt, hashed password to the database, as well as update the PasswordFormat field to 1

这篇关于ASP.Net会员节省了更改后的口令为纯文本，即使散列了passwordFormat集的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！