ASP.Net Membership 将更改的密码保存为纯文本，即使设置了散列密码格式 [英] ASP.Net Membership saves changed password as plain text even with Hashed passwordFormat set

问题描述

我正在使用 ASP.Net SqlMembershipProvider 来管理我的用户.这是我的配置:

I'm using the ASP.Net SqlMembershipProvider to manage my users. Here is my config:

<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
            <providers>
                <clear />
                <add
                    name="SqlProvider"
                    type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                    connectionStringName="SiteDatabase"
                    applicationName="WPR"
                    minRequiredPasswordLength="6"
                    minRequiredNonalphanumericCharacters="0"
                    enablePasswordRetrieval="false"
                    enablePasswordReset="true"
                    requiresQuestionAndAnswer="false"
                    requiresUniqueEmail="true"
                    passwordFormat="Hashed" />
            </providers>
        </membership>

我的问题是:当我调用 Membership.CreateUser 来创建新用户时，密码以带有盐的散列格式存储在数据库中 - 这一切都很好.但是，当我在管理函数中调用 Membership.ChangePassword 时，它以纯文本格式存储密码.我真的无法理解这种行为，因为配置清楚地显示哈希"并且创建一个新用户会创建一个哈希密码.

My problem is this: when I call Membership.CreateUser to create new users, the password is stored in the DB in hashed format with a salt - which is all good. However, when I call Membership.ChangePassword in an admin function, it is storing the password in plain text format. I really cannot understand this behaviour, since the config clearly says "Hashed" and creating a new user creates a hashed password.

推荐答案

在默认 ASPMembership 提供程序的 ChangePassword() 方法中，从数据库中检索现有用户的密码格式，并且用于为现有用户编码新密码的格式，而不是在 web.config 中设置的密码格式，它现在可以指定要使用的不同格式.您可以通过下载源代码亲自查看对于默认提供程序.

Within the ChangePassword() method of the default ASPMembership provider, the password format for an existing user is retrieved from the database and is the format used to encode a new password for an existing user, and not the password format that is set in web.config, which may now specify a different format to use. You can see this for yourself by downloading the source code for the default providers.

我的问题是，对于已经以明文形式存储密码的用户，密码是否以明文形式存储?您可以通过检查表 aspnet_Membership 中用户的 PasswordFormat 字段的值来轻松检查这一点.值是:

My question is then, is the password being stored in clear text for a user who already had a password stored in clear text? You can check this easily by checking the value of the PasswordFormat field for the user in table aspnet_Membership. The values are:

Clear = 0,
Hashed = 1,
Encrypted = 2,

如果您需要自己散列清除密码，框架代码可能会派上用场

if you need to hash clear passwords yourself, the framework code may come in handy

// generate a salt
public string GenerateSalt()
{
    byte[] buf = new byte[16];
    (new RNGCryptoServiceProvider()).GetBytes(buf);
    return Convert.ToBase64String(buf);
}

// hashes the password, using the supplied salt
public string HashPassword(string pass, string salt)
{
    byte[] bIn = Encoding.Unicode.GetBytes(pass);
    byte[] bSalt = Convert.FromBase64String(salt);
    byte[] bAll = new byte[bSalt.Length + bIn.Length];
    byte[] bRet = null;

    Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
    Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);

    // this assumes a Hashed password (PasswordFormat = 1)
    HashAlgorithm s = HashAlgorithm.Create( Membership.HashAlgorithmType );
    bRet = s.ComputeHash(bAll);

    return Convert.ToBase64String(bRet);
}

现在您只需从数据库中提取 PasswordFormat = 0 的所有记录，通过控制台应用程序运行它们以对密码进行哈希处理并将 salt、哈希密码保存到数据库中，并将 PasswordFormat 字段更新为 1

now you just need to pull all records from the database where the PasswordFormat = 0, run them through a console app to hash the password and save the salt, hashed password to the database, as well as update the PasswordFormat field to 1

这篇关于ASP.Net Membership 将更改的密码保存为纯文本，即使设置了散列密码格式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！