当您无法将密码保存为哈希时,该怎么办 [英] What to do when you can not save a password as a hash
问题描述
我有一个程序使用 System.DirectoryServices.AccountManagement.PrincipalContext
来验证用户在设置屏幕中输入的信息是域上的有效用户(计算机本身不在域上),并对域的用户进行一些操作。问题是我不希望用户每次运行程序时都需要输入他的密码,所以我想保存它,但是我不太喜欢将密码作为纯文本存储在他们的app.config文件中。 PrincipalContext需要一个纯文本密码,所以我不能像所有人建议密码存储那样做一个盐渍的哈希。
这是我做的
const byte [] mySalt = //这是每个人的秘密。
[global :: System.Configuration.UserScopedSettingAttribute()]
public global :: System.Net.NetworkCredential ServerLogin
{
get
{
var tmp =((global :: System.Net.NetworkCredential)(this [ServerLogin]));
if(tmp!= null)
tmp.Password = new System.Text.ASCIIEncoding()。GetString(ProtectedData.Unprotect(Convert.FromBase64String(tmp.Password),mySalt,DataProtectionScope.CurrentUser)) ;
return tmp;
}
set
{
var tmp = value;
tmp.Password = Convert.ToBase64String(ProtectedData.Protect(new System.Text.ASCIIEncoding()。GetBytes(tmp.Password),mySalt,DataProtectionScope.CurrentUser));
this [ServerLogin] = value;
}
}
这是正确的做法还是在那里更好的方式?
编辑 -
这是一个基于大家建议的更新版本
private MD5 md5 = MD5.Create();
[global :: System.Configuration.UserScopedSettingAttribute()]
public global :: System.Net.NetworkCredential ServerLogin
{
get
{
var tmp =((global :: System.Net.NetworkCredential)(this [ServerLogin]));
if(tmp!= null)
tmp.Password = System.Text.Encoding.UTF8.GetString(ProtectedData.Unprotect(Convert.FromBase64String(tmp.Password)),md5.ComputeHash(System.Text。 Encoding.UTF8.GetBytes(tmp.UserName.ToUpper())),DataProtectionScope.CurrentUser));
return tmp;
}
set
{
var tmp = value;
tmp.Password = Convert.ToBase64String(ProtectedData.Protect(System.Text.Encoding.UTF8.GetBytes(tmp.Password),md5.ComputeHash(System.Text.Encoding.UTF8.GetBytes(tmp.UserName.ToUpper ())),DataProtectionScope.CurrentUser));
这个[ServerLogin] = tmp;
}
}
编写新的System.Text.ASCIIEncoding()
,你应该写 System.Text.Encoding.ASCII
。 p>
另外,我建议使用UTF8。
除此之外,你的代码看起来还不错。
I have a program that uses System.DirectoryServices.AccountManagement.PrincipalContext
to verify that the information a user entered in a setup screen is a valid user on the domain (the computer itself is not on the domain) and do some operations on the users of the domain. The issue is I do not want the user to need to enter his or her password every time they run the program so I want to save it, but I do not feel comfortable storing the password as plain-text in their app.config file. PrincipalContext needs a plain-text password so I can not do a salted hash as everyone recommends for password storing.
This is what I did
const byte[] mySalt = //It's a secret to everybody.
[global::System.Configuration.UserScopedSettingAttribute()]
public global::System.Net.NetworkCredential ServerLogin
{
get
{
var tmp = ((global::System.Net.NetworkCredential)(this["ServerLogin"]));
if(tmp != null)
tmp.Password = new System.Text.ASCIIEncoding().GetString(ProtectedData.Unprotect(Convert.FromBase64String(tmp.Password), mySalt, DataProtectionScope.CurrentUser));
return tmp;
}
set
{
var tmp = value;
tmp.Password = Convert.ToBase64String(ProtectedData.Protect(new System.Text.ASCIIEncoding().GetBytes(tmp.Password), mySalt, DataProtectionScope.CurrentUser));
this["ServerLogin"] = value;
}
}
Was this the right thing to do or is there a better way?
EDIT -- Here is a updated version based on everyone's suggestions
private MD5 md5 = MD5.Create();
[global::System.Configuration.UserScopedSettingAttribute()]
public global::System.Net.NetworkCredential ServerLogin
{
get
{
var tmp = ((global::System.Net.NetworkCredential)(this["ServerLogin"]));
if(tmp != null)
tmp.Password = System.Text.Encoding.UTF8.GetString(ProtectedData.Unprotect(Convert.FromBase64String(tmp.Password), md5.ComputeHash(System.Text.Encoding.UTF8.GetBytes(tmp.UserName.ToUpper())), DataProtectionScope.CurrentUser));
return tmp;
}
set
{
var tmp = value;
tmp.Password = Convert.ToBase64String(ProtectedData.Protect(System.Text.Encoding.UTF8.GetBytes(tmp.Password), md5.ComputeHash(System.Text.Encoding.UTF8.GetBytes(tmp.UserName.ToUpper())), DataProtectionScope.CurrentUser));
this["ServerLogin"] = tmp;
}
}
Instead of writing new System.Text.ASCIIEncoding()
, you should write System.Text.Encoding.ASCII
.
Also, I recommend using UTF8 instead.
Other than that, your code looks pretty good.
这篇关于当您无法将密码保存为哈希时,该怎么办的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!