检查使用bCrypt加密的密码。我是否需要通过网络发送密码?
[英]Checking a password encrypted with bCrypt .. Do I need to send the password over the wire?
问题描述
I'm currently looking at using bCrypt to encrypt the passwords of the future users in my project. 
我目前正在使用bCrypt加密我项目中未来用户的密码。
It looks extremely powerful, but here's my concern -- 它看起来非常强大,但这是我的担忧-
- On the web site, create an account. 在网站上,创建一个帐户。 The server will bCrypt your password and store its hash. 服务器将bCrypt您的密码并存储其哈希。
test-->$2a$12$4PhCN62AmALB7e.Sv2w9w.AP/JZ28l.dZldU5iHyupY2w5wPz9o.utest->$2a$12$4PhCN62AmALB7e.Sv2w9w.AP/JZ28l.dZldU5iHyupY2w5wPz9o.u - Now to check your password, you simply check the return of
BCrypt.Net.BCrypt.Verify("test", "$2a$12$4PhCN62AmALB7e.Sv2w9w.AP/JZ28l.dZldU5iHyupY2w5wPz9o.u")to ensure a match.现在检查密码,您只需检查BCrypt.Net.BCrypt.Verify("test", "$2a$12$4PhCN62AmALB7e.Sv2w9w.AP/JZ28l.dZldU5iHyupY2w5wPz9o.u")即可确保匹配。
In the case of using a client-side app to work with this webserver, and the same data, do I need to send the password over the wire to have the server match it's validity? 如果使用客户端应用程序与此网络服务器以及相同的数据一起使用,我是否需要通过电线发送密码以使服务器匹配其有效性? Is it feasible to have the client request the hash, and have the server send it to the client, that way the client can do the hashing and verify it? 让客户端请求哈希,然后由服务器将其发送给客户端,这样客户端可以进行哈希并验证它是否可行?
1 个解决方案
解决方案1
3 已采纳 2013-03-13 01:39:15
You can prevent the plaintext password from being sent over the wire by using SSL (eg https). 您可以使用SSL(例如https)阻止纯文本密码通过网络发送。 The password will be plaintext but the connection will be secure, and only the server and client will be able to decode info in that connection. 密码将是纯文本,但连接将是安全的,并且只有服务器和客户端才能够解码该连接中的信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.