如何将密码存储在数据库表中 [英] How to store passwords in a database table

问题描述

我正在设计一个C＃应用程序，其中我需要将用户的登录信息（包括他们的密码）存储在数据库表中。我想知道这是一个很好的方法。

I am designing a C# application in which I need to store users' login information, including their passwords, in a database table. I was wondering what's a decent way of doing this.

我知道将密码存储为明文是一个可怕的想法。

I know it is a terrible idea to store passwords as clear text.

我正在考虑加密密码，然后存储它们。之后，每当用户输入密码时，我可以加密他们的输入，并将加密的输入与数据库中已经存在的输入进行比较。我的计划是使用一个很好的加密功能...

I was thinking of encrypting the passwords and then storing them. After that, every time the users enter their passwords, I can encrypt their input and compare that encrypted input with the one already in the database. My plan is to use a good has function for the encryption...

推荐答案

我认为一个常见的策略是做一个哈希使用类似SHA-256的密码，并将其存储在数据库中。然后登录，您将哈希，无论用户输入什么，并将其与数据库中的内容进行比较。

I think a common tactic is to make a hash of the password using something like SHA-256 and storing that in the database. Then to log in, you hash whatever the user enters and compare it with what is in the database.

此系统意味着您的加密是一种方式。您无法检索密码散列的密码。请注意，这具有可用性后果。具体来说，您不能向用户发送他们的密码。您只能重置密码。

This systems means that your "encryption" is one way. You cannot retrieve the password given the password hash. Note that this has usability consequences. Specifically, you cannot send users their password. You can only reset passwords.

进一步的改进将是 salt 密码，然后再散列。这可以防止涉及彩虹表的一类攻击。你几乎肯定会这样做，以及哈希密码。

A further improvement would be to salt the password before you hash it. This prevents a class of attacks involving rainbow tables. You should almost certainly do this as well as hashing the password.

正如其他人所提到的，重复这几次也是重要的，以防止暴力攻击。

As mentioned by other people, it is also important to iterate this several times to prevent brute-force attacks.

这篇关于如何将密码存储在数据库表中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！