密码加密 [英] Password encryption

问题描述

我创造了在C＃应用程序中的登录屏幕。在我的登录屏幕，我从数据库中读取用户名和密码，并检查输入的用户名和密码是否正确。我需要密码，而我读的密码表单的数据库进行加密。任何人都可以解释如何加密和解密工作。

1. 我是否要存储在数据库中的加密值的阅读。



2. 现在我有两个字段

    列名：用户名密码
    
   值：管理员密码
     




3. 我应该密码的加密值存储在另一个领域在登录表

解决方案

第一：？通常的做法，现在是存储密码的哈希盐渍，而不是明文密码本身（SHA-1和更好的哈希算法是首选，避免MD5，因为它不是安全了）。当用户登录时，重新计算所述输入串的散列，然后将其与存储在数据库中的字符串进行比较。

编辑：为什么不应该使用了加密密码？因为当攻击者知道的密钥进行加密，你的密码将被暴露（这是非常糟糕）。如果您在使用哈希，他正好可以猜出一个接一个（这并不容易）。否则，散列算法，一般情况下会更快然后加密，你将采取的性能优势。

编辑：你为什么要存储，而不是一个哈希散列盐渍，？因为散列算法可以保证，如果散列相同字符串时，结果是一样的。这可能会导致一个问题是，当攻击者看到相同的哈希值，他可以的猜的该文本是一样的，这给机会，他得到原来的密码。

盐意味着除了原来的文本，你把一些随机的文本，因此，两个相同的字符串将产生的不同的的哈希值

看看这个： http://www.obviex.com /samples/hash.aspx

在用户的情况下，忘记了他的密码，可以使用重置密码功能，很多网站都使用的：

1. 的用户请求密码重置


2. 的电子邮件包含一个特殊的环节（包括秘密令牌/ PIN ）将被发送到注册的电子邮件地址，即允许用户重新设置自己的密码。


3. 系统随机生成的密码将被再次发送给用户，那么他就可以登录并修改自己的密码。

更新2012年5月14日：答案似乎是老了，不完全是这样。人们转向更安全散列加密算法来存储密码。一个显着的解决方案是现在bcrypt，另一个（新的和有希望的）是scrypt。

这些加密的优势在哪里？他们是慢！远远高于散列算法慢。随着GPU（例如，CUDA来自NVIDIA）的力量，破解哈希值是不可能的，现在，缓慢可以让它更难破解这些加密。

你可以找到更多关于bcrypt： http://codahale.com/how -to-安全，存储一个密码/

二：你应该分开用户表（包含用户个人资料，如姓名，出生日期，地址，...）和登录表（包含用户名和密码，以及一些特殊的属性）。这将导致更好的管理和降低暴露敏感信息

的风险

I am creating a login screen for an application in C#. In my login screen I am reading the username and password from the database and checking whether the entered username and password are correct or not. I need the password to encrypt while I am reading the password form the database. Can anyone explain how encryption and decryption works.

1. Whether I have to store the encrypted value in the database for reading.

2. Right now I have two fields

   column names: username         password 
   
   values:        admin            password
   

3. Should I store the encrypted value of the password in another field in the login table?

解决方案

First: The common approach now is that store the salted hash of the password, instead of the plain-text password itself (SHA-1 and better hashing algorithm are preferred, avoid MD5 because it's not safe any more) . When the user login, you recalculate the hash of the input string, then compare it with string stored in the database.

EDIT: why shouldn't you use encryption for password? Because when the attacker knows the key of encryption, all of you passwords will be exposed (That's very bad). If you using hash, he just can guess one-by-one (and this is not easy). Otherwise, hash algorithms, in general, are faster then encryption, you'll take the performance benefit.

EDIT: why you should store salted hash, instead of a hash? Because hashing algorithms are guaranteed that if you hash identical strings, the result is the same. This may lead to a problem is that, when attacker see the same hash values, he can guess that the texts were the same, and this gives chance for him to get the original password.

Salt means that besides the original text, you put some random text, and therefore, two identical strings will generate different hash values

Take a look at this: http://www.obviex.com/samples/hash.aspx

In case of the user forgets his password, you can use the reset password function, which many sites are using:

1. The user requests a password reset
2. An email contains a special link (include a secret token/PIN) will be sent to registered email address, that allows user to reset his password.
3. A randomly created password will be sent again to user, then he can login and change his password.

UPDATE May 14th 2012: The answer seems to be old, and not completely true. People are moving to more secure hashing-encryption algorithm for storing password. One of notable solution now is bcrypt, and another (new and promising) is scrypt.

The advantage of these encryption? They're slow! Much slower than hashing algorithm. With the power of GPU (for example, CUDA from nVidia), cracking the hash value is not impossible now, and the slowness can make it much harder to crack these encryption.

You can find more about bcrypt at: http://codahale.com/how-to-safely-store-a-password/

Second: You should separate the users table (contains user profiles, such as full name, DoB, address,...) and logins table (Which contains user name and password, and some special attributes). This will lead to better management and reduce the risk of exposing sensitive information

这篇关于密码加密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！