Asp.net MVC - 如何哈希密码 [英] Asp.net MVC - How to hash password
问题描述
如何将用户输入(密码)散列到数据库,然后在登录过程中读取散列密码?
我相信解决方案是在注册时对密码进行散列,密码在数据库内保存为哈希。在登录后,应该将其密码与用户密码输入进行解散和比较。
但我不知道该怎么做。
我允许密码在db中具有 nvarchar(MAX),因为散列密码通常很长。
[必需]
[StringLength(MAX,MinimumLength = 3,ErrorMessage =最小3,最多50个字母)]
public string Password {get;组;
注册:
[HttpPost]
public ActionResult注册(用户用户){
if(ModelState.IsValid){
var u = new User {
UserName = user.UserName,
Password = user.Password
};
db.Users.Add(u);
db.SaveChanges();
返回RedirectToAction(登录);
}
} return View();
}
登录:
public ActionResult Login(){
return View();
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult登录(用户u){
if(ModelState.IsValid)
{
使用(UserEntities db = new UserEntities()){
// un-hash密码?
var v = db.Users.Where(a => a.UserName.Equals(u.UserName)&& a.Password.Equals(u.Password))。FirstOrDefault() ;
if(v!= null){
return RedirectToAction(Index,Home); //登录后
}
}
} return View(u);
}
我正在使用数据库。
你永远不需要打破密码。 加密散列函数应该是单向操作。这提供了更多的安全性,因为没有人可以窃取用户的密码,即使他们设法查看数据库的内容。
-
当用户注册时,计算密码的哈希值,将哈希存储在数据库中,永远忘记密码。
-
当用户登录时,计算他们输入密码的哈希值(忘记密码),并查看哈希是否与数据库中存储的哈希匹配。
这是大多数网站使用的机制,这正是为什么如果您成功通过我忘记密码过程,他们将不会显示你的密码:他们没有;即使他们想要也不能检索它。相反,他们会向您发送一个密码重置链接。
至于如何从字符串中计算哈希,interwebz中有很多答案,例如: MD5(MSDN); SHA-256(MSDN); SHA-512( MSDN)
How do I hash an users input(password) to database and then later read the hashed password during login?
I believe the solution is to hash the password upon register, where the password is saved as hashed inside db. Later upon Login, it should un-hash and compare its password with users password-input. But I don't know how to do it.
I allowed password to have nvarchar(MAX)in db since hashed password are usually long.
[Required]
[StringLength(MAX, MinimumLength = 3, ErrorMessage = "min 3, max 50 letters")]
public string Password { get; set; }
Register:
[HttpPost]
public ActionResult Register(User user) {
if (ModelState.IsValid) {
var u = new User {
UserName = user.UserName,
Password = user.Password
};
db.Users.Add(u);
db.SaveChanges();
return RedirectToAction("Login");
}
}return View();
}
Login:
public ActionResult Login() {
return View();
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Login(User u) {
if (ModelState.IsValid)
{
using (UserEntities db = new UserEntities()) {
//un-hash password?
var v = db.Users.Where(a => a.UserName.Equals(u.UserName) && a.Password.Equals(u.Password)).FirstOrDefault();
if (v != null) {
return RedirectToAction("Index", "Home"); //after login
}
}
}return View(u);
}
I'm using database first.
You should never need to unhash a password. A cryptographic hash function is supposed to be a one-way operation. This provides far more security, because nobody can steal your user's passwords even if they manage to view the contents of your database.
When the user registers, compute the hash of their password, store the hash in the database, and forget the password forever.
When the user logs in, compute the hash of the password they entered, (forget that password too,) and see if the hash matches the hash stored in the database.
This is the mechanism used by most websites out there, and that's precisely why if you successfully go through the "I forgot my password" procedure, they will still not show you your password: they don't have it; they cannot retrieve it even if they wanted to. Instead, they send you a password reset link.
As for how to compute a hash from a string, the interwebz abound with answers to that question, for example: MD5 (MSDN); SHA-256 (MSDN); SHA-512 (MSDN)
这篇关于Asp.net MVC - 如何哈希密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
