WebMatrix WebSecurity PasswordSalt [英] WebMatrix WebSecurity PasswordSalt

问题描述

我正在使用 WebMatrix 并基于StarterSite"建立了一个网站.在这个入门网站中，您可以获得一个不错的基本布局 - 包括注册、登录、忘记密码页面等...

I am using WebMatrix and have built a website based on the "StarterSite". In this starter site you get a nice basic layout - including registration, login, forgot password pages etc...

我注意到在数据库中webpages_Membership"表有一个名为PasswordSalt"的列.创建几个新用户帐户后，此列始终保持空白.所以我假设没有使用密码盐(甚至不是默认密码).

I've noticed that in the database that the "webpages_Membership" table has a column named "PasswordSalt". After creating a few new user accounts, this column always remains blank. So I'm assuming that no password salt (not even a default one) is in use.

显然这不是最佳实践，但我似乎找不到任何文档告诉我如何设置或管理密码盐.

Obviously this is not the best practice, however I cannot seem to find any documentation that tells me how to set or manage the password salt.

如何使用 WebSecurity Helper 设置密码盐?

How can I set the password salt with the WebSecurity Helper?

推荐答案

上面的答案给人的印象是使用 WebSecurity SimpleMembershipProvider 时没有应用加盐.

The above answer gives the impression that there is no salting applied when using WebSecurity SimpleMembershipProvider.

那不是真的.确实没有使用数据库 salt 字段，但这并不表示在对密码进行哈希处理时没有生成 salt.

That is not true. Indeed the database salt field is not used, however this does not indicate that there is no salt generated when hashing the password.

在 WebSecuritys SimpleMembershipProvider 中使用 PBKDF2 算法，随机 salt 由 StaticRandomNumberGenerator 生成并存储在密码字段中哈希:

In WebSecuritys SimpleMembershipProvider the PBKDF2 algo is used, the random salt is generated by the StaticRandomNumberGenerator and stored in the password field with the hash:

byte[] outputBytes = new byte[1 + SALT_SIZE + PBKDF2_SUBKEY_LENGTH];
Buffer.BlockCopy(salt, 0, outputBytes, 1, SALT_SIZE); 
Buffer.BlockCopy(subkey, 0, outputBytes, 1 + SALT_SIZE, PBKDF2_SUBKEY_LENGTH);
return Convert.ToBase64String(outputBytes);

这篇关于WebMatrix WebSecurity PasswordSalt的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！