T-SQL AES加密散列VS /用户的网站腌制用于记录 [英] T-SQL AES Encryption vs Hashing/Salting for logging in users to website
问题描述
我有一个项目,软件显然设计者并没有把安全性考虑。
I have a project and apparently the designers of the software didn't put security into consideration.
的密码存储在纯文本,并通过明文传输。所以我留下的任务来解决这个问题。
The passwords are stored in plain text and transmitted through plain text. So I am left with the task to fix this.
我有点生锈的安全性,所以我的问题是:对在线用户密码验证是它更好地使用散列/腌制技术或者是它更好地使用AES加密?我可以有利弊。
I am a bit rusty on security, so my question is: for online user password authentication is it better to use hashing/salting techniques or is it better to use AES encryption? Could I have the pros and cons.
会不会更好以某种方式使用ASP.NET成员资格提供?这将是很容易做到?我以前使用的,但软件调用它自己的表,所以我不知道这是比较麻烦出现。
Would it be better to somehow use the ASP.NET membership provider? Would this be easy to do? I have used that before, but the software calls on it's own tables, so I'm not sure if that's more trouble there.
如果这已经回答可能有人告诉我那里,因为我没有找到一个比较。
If this has been answered could someone direct me there, because I didn't find a comparison.
推荐答案
你永远不应该储存使用对称加密密码。
You should NEVER store passwords using symmetric encryption.
随机盐为每个用户,哈希他们的密码,无论是盐和散列存储在数据库中。然后在登录请求你通过电子邮件/用户名/ ID等用户,然后用绑在该用户的盐和哈希他们提供的密码,然后匹配它存储的散列。如果匹配,登录,否则错误的密码。
Random salt for every user, hash their password, store both the salt and hash in the database. Then on login requests you get the user by email/username/id etc, then use the salt tied to that user and hash their supplied password and then match it against the stored hash. If matches, login, else bad password.
如果您使用内置的ASP.NET成员资格提供它应该为你做这个。
If you use the built in ASP.NET membership provider it should do this for you.
这篇关于T-SQL AES加密散列VS /用户的网站腌制用于记录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
