MVC 3哪里加密用户的密码？ [英] MVC 3 where to encrypt the user's password?

问题描述

我已经创建了自己的密码加密dll，我使用它来检查登录时的用户密码，这是在我的用户实体中引用。用户注册哪些工作正常的能力除了密码还没有被加密。

我的问题很简单，我应该在哪里加密新用户的密码？我不知道我知道用户的密码不应该用纯文本传输，所以我不知道调用加密功能的最佳位置：

• 用户实体（加密dll已被用于验证）


• 保存用户方法的用户存储库。


• 控制用户创建视图的用户控制器。


• 我还没有考虑过其他地方！

非常感谢

解决方案

首先，对于客户端 - 服务器通信，建议您使用SSL进行敏感信息（如密码），不得以纯文本格式转移。

之后，通常的做法是不要在任何地方保存密码加密，但是它们的散列值。

您可以将哈希函数放在密码属性的set方法中，这里是一个例子：

  public class Member 
 {
 private string _username; 
 
 public string用户名
 {
 get {return _username; } 
 set {_username = value.ToLowerInvariant（）; 
} 
 
 public string Passhash {get; set;} 
 
 public void SetPassword（string password）
 {
 Passhash = Crypto .Hash（密码）; 
} 
 
 public bool CheckPassword（string password）
 {
 return string.Equals（Passhash，Crypto.Hash（password））; 
} 
} 
 
 public static class Crypto 
 {
 public static string Hash（string value）
 {
 return Convert .ToBase64String（
 System.Security.Cryptography.SHA256.Create（）
 .ComputeHash（Encoding.UTF8.GetBytes（value）））; 
} 
} 
  

编辑：

正如Craig Stuntz所指出的，这个例子中的哈希码非常简单。请参阅以下文章以更安全的方式来填写密码：使用MD5或sha-256 C＃哈希密码

I have my own password encryption dll that I am using to check the user's password when they login, this is referenced in my User entity.

Now I have created the ability for a user to register which is working fine, apart from the passwords are yet to be encrypted.

My question is quite simple, where should I put the encryption of the new user's password? I'm not sure as I am aware that the user's password shouldn't be transmitted in plain text, therefore I don't know where the best place to call the encryption function:

• User Entity (where the encryption dll is already used for validation).
• The User repository where the save user method is.
• The User controller where the user creation views are controlled.
• Somewhere else that I haven't considered!

Thanks very much

解决方案

First of all, for client - server communication, I would suggest you to use SSL for the sensitive information (like passwords) not to be transferred in plain text format.

Afterwards, it's the common practice not to save passwords anywhere (even with encryption, but the hashed values of them.

You can put the hash function to the set method of password property. Here is an example:

public class Member
{
    private string _username;

    public string Username
    {
        get { return _username; }
        set { _username = value.ToLowerInvariant(); }
    }

    public string Passhash {get;set;}

    public void SetPassword(string password)
    {
        Passhash = Crypto.Hash(password);
    }

    public bool CheckPassword(string password)
    {
        return string.Equals(Passhash, Crypto.Hash(password));
    }
}

public static class Crypto
{
    public static string Hash(string value)
    {
        return Convert.ToBase64String(
            System.Security.Cryptography.SHA256.Create()
            .ComputeHash(Encoding.UTF8.GetBytes(value)));
    }
}

Edit:

As Craig Stuntz pointed out, the Hash code in this example is very simple. See the following post for a more secure way to hash your password: Hashing passwords with MD5 or sha-256 C#

这篇关于MVC 3哪里加密用户的密码？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！