C#和SQL Server:密码。在哪里做什么 [英] C# and SQL Server: Passwords. Where to do what?
问题描述
我已经阅读了,我知道你应该进行盐和哈希,可能哈希一堆次等等,但是我在哪里做什么?我从SQL Server发送什么?究竟我在数据库中存储什么?我在SQL中哈希吗? (可能是一个哈希函数,就像在mysql中)我在我的代码中哈希和做奇怪的东西吗?我将哈希发送到服务器进行比较,还是从服务器获取哈希,并在我的应用程序中进行比较?盐怎么样?我在哪里做?我在哪里存储?如何得到它?
换句话说,有人可以给我一个很好的和清晰的登录场景(可能是用户添加/重置密码方案)的演练。什么在哪里,什么应该在哪里等等。
希望有人可以清除这些东西为我= =
我完全同意Joel Coehoorn的看法,最好的选择就是相信别人的尝试和真实的实现。但是,如果您决定滚动自己的安全实施,那么我的建议如下:
- 将哈希和盐数据库。
- 在自己的代码中生成哈希和盐。这样你就不会将自己与特定的数据库绑在一起。
- 不要以明文方式通过电子邮件发送密码。我建议从数据库中获取哈希和盐,并将其与您希望通过身份验证的一方提供的用户名和密码进行比较。
Ok, I have an application written in C#. We have data in an SQL Server. Among that data we have user accounts, which will give access to the application.
I've read around, and I know that you should salt and hash and possibly hash a bunch of times, etc. But, where do I do what? What do I send to and from the SQL Server? Exactly what do I store in the database? Do I hash it in SQL? (possibly a hash function there, like in mysql?) Do I hash and do the fancy stuff in my code? Do I send the hash to the server and compare, or do I get the hash from the server and compare in my application? What about the salt? Where do I make it? Where do I store it? How do I get it?
In other words, could someone give me a nice and clear walkthrough of a login scenario (and possibly a user add/reset password scenario). What goes where, what should be used where, etc.
Hope someone can clear these things up for me =)
I agree with Joel Coehoorn completely, the best choice is to trust someone else's tried and true implementation. If, however, you're determined to roll your own security implementation, then my advice is the following:
- Store the hash and salt in the database.
- Generate the hash and the salt in your own code. That way you're not tying yourself to a specific database.
- Never send the password over the wire as plaintext. I would recommend fetching the hash and the salt from the database and comparing it to the ones you calculated from the username and password supplied by the party that wishes to be authenticated.
这篇关于C#和SQL Server:密码。在哪里做什么的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
