登录时比较盐和散列密码似乎不工作的权利 [英] comparing salt and hashed passwords during login doesn't seem work right

问题描述

我用户注册过程中存储的密码的盐和哈希值...但是，他们在登录时我再用盐和散列由用户提供的密码，什么情况是一种新的盐和新的哈希生成....

 字符串密码=收集[密码];
reg.PasswordSalt = CreateSalt（6）;
reg.PasswordHash = CreatePasswordHash（密码，reg.PasswordSalt）;
 

这些语句在这两个注册和登录....

在注册过程中盐和哈希是 eVSJE84W 和 18DE22FED8C378DB7716B0E4B6C0BA5416731​​5A2

在登录过程中它是 4YDIeARH 和 12E3C1F4F4CFE04EA973D7C65A09A78E2D80AAC7 .....任何建议....

 公共静态字符串CreateSalt（INT大小）
    {
        //生成加密随机数。
        RNGCryptoServiceProvider RNG =新RNGCryptoServiceProvider（）;
        字节[] = BUFF新的字节[大小]
        rng.GetBytes（BUFF）;        //返回一个Base64字符串重新随机数presentation。
        返回Convert.ToBase64String（BUFF）;
    }    公共静态字符串CreatePasswordHash（PWD字符串，字符串盐）
    {
        字符串saltAndPwd = String.Concat（PWD，盐）;
        串hashedPwd =
         FormsAuthentication.HashPasswordForStoringInConfigFile（
         saltAndPwdSHA1）;        返回hashedPwd;
    }
 

解决方案

现在你正在生成在注册和登录不同的盐。您需要使用相同的盐哈希或者你会得到不同的哈希值。也就是说你所需要的盐存储到数据库与密码一起，然后重新使用哈希当用户尝试后登录。

步骤：

1. 用户注册，并提供了明文密码


2. 您生成一个新的随机盐并用它来散列明文


3. 您存储盐和散列到数据库


4. 后来的用户尝试通过提供新的明文密码登录。你取的哈希，并从数据库中盐


5. 您使用盐散列纯文本


6. 比较两个散列

I stored salt and hash values of password during user registration... But during their login i then salt and hash the password given by the user, what happens is a new salt and a new hash is generated....

string password = collection["Password"];
reg.PasswordSalt = CreateSalt(6);
reg.PasswordHash = CreatePasswordHash(password, reg.PasswordSalt);

These statements are in both registration and login....

salt and hash during registration was eVSJE84W and 18DE22FED8C378DB7716B0E4B6C0BA54167315A2

During login it was 4YDIeARH and 12E3C1F4F4CFE04EA973D7C65A09A78E2D80AAC7..... Any suggestion....

    public static string CreateSalt(int size)
    {
        //Generate a cryptographic random number.
        RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
        byte[] buff = new byte[size];
        rng.GetBytes(buff);

        // Return a Base64 string representation of the random number.
        return Convert.ToBase64String(buff);
    }

    public static string CreatePasswordHash(string pwd, string salt)
    {
        string saltAndPwd = String.Concat(pwd, salt);
        string hashedPwd =
         FormsAuthentication.HashPasswordForStoringInConfigFile(
         saltAndPwd, "sha1");

        return hashedPwd;
    }

解决方案

Right now you are generating a different salt upon registration and login. You need to use the same salt for hashing or you will get different hashes. That is to say you need store the salt into the database along with the password and reuse it to hash when the user tries to login later.

Steps:

1. User registers and provides a plain text password
2. You generate a new random salt and use it to hash the plain text
3. You store the salt and the hash into the database
4. Later the user tries to login by providing a new plain text password. You fetch the hash and the salt from database
5. You use the salt to hash the plain text
6. Compare the two hashes

这篇关于登录时比较盐和散列密码似乎不工作的权利的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！