如何访问SimpleMembershipProvider散列算法 [英] How to access the SimpleMembershipProvider Hashing Algorithm
问题描述
有没有办法为使用SimpleMembership使用的密码相同的散列算法来散列明文密码,而无需实际设置或更改密码?我只是想密码的哈希版本进行比较。
Is there a way to use the same hashing algorithm that SimpleMembership uses for password to hash a clear-text password without actually setting or changing a password? I just want the hashed version of the password for comparison.
我建立使用MVC 4一个新的网站,并选择使用SimpleMembershipProvider处理大多数帐户相关的数据。一个要求我必须是保持一个密码历史记录。我并不需要能够检索实际的密码,所以单向散列是细
I am building a new site using MVC 4, and have opted to use the SimpleMembershipProvider to handle most account related data. One requirement I have is to keep a password history. I do not need to be able to retrieve the actual passwords, so one-way hashing is fine.
我想出了一个解决方案,保留了使用单独的单向散列算法的密码一个单独的表,但它似乎很笨重给我。这将是更干净,如果我能采取新的密码,请使用SimpleMembership算法散列它,比较,为我存储的密码,然后只改变它,如果它是有效的。这也将有助于当我去到我们的密码从旧站点迁移。
I have come up with a solution that keeps a separate table of passwords using a separate one-way hashing algorithm, but it seems rather clunky to me. It would be far cleaner if I could take the new password, use the SimpleMembership's algorithm to hash it, compare that to my stored passwords, and then only change it if it is valid. This would also help when I go to migrate our passwords from the old site.
现在,我可以找到生成密码的哈希版本的唯一方法是通过改变密码,然后从SQL读取哈希版本。
Right now the only way I can find to generate the hashed version of the password is by changing the password, and then reading the hashed version from SQL.
推荐答案
SimpleMembershipProvider.SetPassword (即私人方法),使用<一个href="http://msdn.microsoft.com/en-us/library/system.web.helpers.crypto.hashpassword%28v=vs.111%29.aspx"相对=nofollow> System.Web.Helpers.Crypto.HashPassword ,所以你可以用它来散列密码。它也需要盐给你,这是包含在返回值的照顾。
SimpleMembershipProvider.SetPassword (the private method), uses System.Web.Helpers.Crypto.HashPassword, so you could use that to hash the password. It also takes care of the salt for you, which is included in the return value.
在把这一方法只返回一个RFC 2898散列,所以你也可以使用的 System.Security.Cryptography.Rfc2898DeriveBytes ,这是什么 HashPassword 方法uses.security.cryptography.rfc2898derivebytes.aspx,但你需要担心的腌制。
That method in turn just returns an RFC 2898 hash, so you could also use System.Security.Cryptography.Rfc2898DeriveBytes, which is what the HashPassword method uses.security.cryptography.rfc2898derivebytes.aspx, but then you need to worry about the salting.
使用 HashPassword 方法应该很好地工作为了您的安全要求;我用这个当我被要求强制执行的要求,如新的密码不匹配任何的最后5(无论这是否是一个很好的安全性要求与否,它的工作原理)。你需要的<一个href="http://msdn.microsoft.com/en-us/library/system.web.helpers.crypto.verifyhashedpassword%28v=vs.111%29.aspx"相对=nofollow> Crypto.VerifyHashedPassword 方法,看看输入的密码匹配任何历史的,因为这会照顾盐的你。
Using the HashPassword method should work perfectly for your security requirement; I use this when I am asked to enforce requirements such as new passwords not matching any of the last 5 (regardless of whether this is a good security requirement or not, it works). You will need the Crypto.VerifyHashedPassword method to see if the password entered matches any of the historic ones, as this will take care of the salt for you as well.
这篇关于如何访问SimpleMembershipProvider散列算法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
