这是在 Db 中加盐和存储密码的方法吗? [英] Is this the way to salt and store a Password in Db?

问题描述

有几种方法(即使在这里也是如此)，他们都提到将密码保存在数据库中的最佳方法是保存，不是密码，不是已加密的密码，而是存储加盐的哈希值密码.

There are seveal ways (even here in SO) and they all mention that the best way to keep password on database is to save, not the password, not the hased password, but to store the hash of a salted password.

我的问题很简单，在上面放一些代码，这样正确吗?

My question is simple, putting some code on it, is this the correct way?

string username = "myUsr";
string password = "myPwd";
DateTime createDate = DateTime.UtcNow;

// Salt it
string saltedPwd = String.Concat(password, createDate.Ticks.ToString());

// Hash it
HMACSHA1 hash = new HMACSHA1(Encoding.Unicode.GetBytes(Helper.EncryptKey));
string encodedPwd = Convert.ToBase64String(
                        hash.ComputeHash(Encoding.Unicode.GetBytes(saltedPwd)));

// Create User in the database
db.CreateUser(username, encodedPwd, createDate);

数据库用户表

user_id | username | password | create_date | last_access | active

并在登录时再次执行此过程并检查 encodedPwd 是否与提供的加盐密码相同.

and upon Login use do the process again and check if the encodedPwd is the same as the salted, hased password that was provided.

我唯一担心的是，这是对密码加盐的最佳方式吗?是否可以使用创建日期(因为它总是会改变，我读到最好始终使用每次我们对密码进行编码时，都会使用不同的 salt...

My only concern is, is this the best way to salt a password? Is it ok to use the Created Date (as that will always change, and I read that it is best to use always a different salt every time we encode a password...

或者 salt 应该是一个完全不同的变量吗?

Or should be the salt a completely different variable?

推荐答案

您的实现可能已经足够好，但最好使用具有更多熵的盐:您当前使用的刻度值将始终在范围相对较小.

Your implementation is probably good enough, but it would be better to use a salt with more entropy: the ticks value that you're currently using will always be in a relatively small range.

我建议使用 PBKDF2 之类的东西来为您完成这项工作，通过 Rfc2898DeriveBytes:

I would suggest using something like PBKDF2 to do the work for you, via Rfc2898DeriveBytes:

string username = "myUsr";
string password = "myPwd";

using (var deriveBytes = new Rfc2898DeriveBytes(password, 20)) // 20-byte salt
{
    byte[] salt = deriveBytes.Salt;
    byte[] key = deriveBytes.GetBytes(20); // 20-byte key

    string encodedSalt = Convert.ToBase64String(salt);
    string encodedKey = Convert.ToBase64String(key);

    // store encodedSalt and encodedKey in database
    // you could optionally skip the encoding and store the byte arrays directly
    db.CreateUser(username, encodedSalt, encodedKey);
}

并进行身份验证...

string username = "myUsr";
string password = "myPwd";

string encodedSalt, encodedKey;
// load encodedSalt and encodedKey from database for the given username
byte[] salt = Convert.FromBase64String(encodedSalt);
byte[] key = Convert.FromBase64String(encodedKey);

using (var deriveBytes = new Rfc2898DeriveBytes(password, salt))
{
    byte[] testKey = deriveBytes.GetBytes(20); // 20-byte key

    if (!testKey.SequenceEqual(key))
        throw new InvalidOperationException("Password is invalid!");
}

这篇关于这是在 Db 中加盐和存储密码的方法吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！