这是通向盐和存储在分贝密码？ [英] Is this the way to salt and store a Password in Db?

问题描述

有seveal方式（甚至在这里SO），他们都提到，为了保持密码数据库的最好办法就是节约，不是密码，而不是hased密码，而是盐渍的为存储哈希密码

There are seveal ways (even here in SO) and they all mention that the best way to keep password on database is to save, not the password, not the hased password, but to store the hash of a salted password.

我的问题很简单，把一些code就可以了，这是正确的方法是什么？

My question is simple, putting some code on it, is this the correct way?

string username = "myUsr";
string password = "myPwd";
DateTime createDate = DateTime.UtcNow;

// Salt it
string saltedPwd = String.Concat(password, createDate.Ticks.ToString());

// Hash it
HMACSHA1 hash = new HMACSHA1(Encoding.Unicode.GetBytes(Helper.EncryptKey));
string encodedPwd = Convert.ToBase64String(
                        hash.ComputeHash(Encoding.Unicode.GetBytes(saltedPwd)));

// Create User in the database
db.CreateUser(username, encodedPwd, createDate);

的数据库用户表的

user_id | username | password | create_date | last_access | active

和在登录使用重复此过程，并检查连接codedPwd 是一样提供了盐渍，hased密码。

and upon Login use do the process again and check if the encodedPwd is the same as the salted, hased password that was provided.

我唯一担心的是，这是盐的密码？最好的办法就是它确定使用的创建日期（因为这会改变的，我读到最好是始终使用不同的盐每次我们带codeA密码...

My only concern is, is this the best way to salt a password? Is it ok to use the Created Date (as that will always change, and I read that it is best to use always a different salt every time we encode a password...

或者应该是盐一个完全不同的变量？

Or should be the salt a completely different variable?

推荐答案

您实现可能不够好，但它会更好地使用盐有更​​多的熵：您目前正在使用总是会在蜱值一个相对较小的范围内。

Your implementation is probably good enough, but it would be better to use a salt with more entropy: the ticks value that you're currently using will always be in a relatively small range.

我会建议使用像 PBKDF2 来为你做的工作，通过<一href=\"http://msdn.microsoft.com/en-us/library/system.security.cryptography.rfc2898derivebytes.aspx\"><$c$c>Rfc2898DeriveBytes:

I would suggest using something like PBKDF2 to do the work for you, via Rfc2898DeriveBytes:

string username = "myUsr";
string password = "myPwd";

using (var deriveBytes = new Rfc2898DeriveBytes(password, 20)) // 20-byte salt
{
    byte[] salt = deriveBytes.Salt;
    byte[] key = deriveBytes.GetBytes(20); // 20-byte key

    string encodedSalt = Convert.ToBase64String(salt);
    string encodedKey = Convert.ToBase64String(key);

    // store encodedSalt and encodedKey in database
    // you could optionally skip the encoding and store the byte arrays directly
    db.CreateUser(username, encodedSalt, encodedKey);
}

和验证...

string username = "myUsr";
string password = "myPwd";

string encodedSalt, encodedKey;
// load encodedSalt and encodedKey from database for the given username
byte[] salt = Convert.FromBase64String(encodedSalt);
byte[] key = Convert.FromBase64String(encodedKey);

using (var deriveBytes = new Rfc2898DeriveBytes(password, salt))
{
    byte[] testKey = deriveBytes.GetBytes(20); // 20-byte key

    if (!testKey.SequenceEqual(key))
        throw new InvalidOperationException("Password is invalid!");
}

这篇关于这是通向盐和存储在分贝密码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！