默认的MVC 4密码验证如何工作?
[英]How does default MVC 4 password verification work?
问题描述
I've created a default MVC 4 project with login authentication 
我已经创建了具有登录身份验证的默认MVC 4项目
When I register for an account with password: 123456 当我注册密码为123456的帐户时
Why is it stored in the SQL database as: ALWsAlpVTehuGr7W2jaGwoX3Ww0RE5GC+yYDITvCpCdHmIIrX7vwMoTW3cEbMsGd4w== 为什么将其存储在SQL数据库中为: ALWsAlpVTehuGr7W2jaGwoX3Ww0RE5GC+yYDITvCpCdHmIIrX7vwMoTW3cEbMsGd4w==
If so, how does it compare the 2 strings to check whether the password entered is correct? 如果是这样,它将如何比较两个字符串以检查输入的密码是否正确?
2 个解决方案
解决方案1
0 已采纳 2014-01-28 19:49:11
By default when passwords are stored in an SQL database they are encrypted. 默认情况下,密码存储在SQL数据库中时会被加密。 When you try logging in again the password will be encrypted before the authentication attempt, then this encrypted password will be compared to the one stored in the database. 当您再次尝试登录时,将在尝试身份验证之前对密码进行加密,然后将该加密的密码与数据库中存储的密码进行比较。
It is disturbingly common for companies databases to become compromised. 令人不安的是,公司数据库遭到破坏。 Imagine if a hacker got a copy of your database and right there was everyone's usernames and passwords in plain text. 想象一下,如果一个黑客得到了您数据库的副本,而现在每个人的用户名和密码都是纯文本格式。 Most people use the same password for multiple sites so imagine the repercussions. 大多数人对多个站点使用相同的密码,因此请想象一下后果。 Whereas if the hacker only has the encrypted passwords there is no way to reverse the salt and get the original plain text passwords out. 而如果黑客仅拥有加密密码,则无法撤消盐分和获取原始纯文本密码。
解决方案2
0 2014-01-28 19:50:01
This question has been answered multiple times here on StackOverflow: 在StackOverflow上,此问题已被多次回答:
How can I use the same encryption that asp.net mvc4 uses? 如何使用与asp.net mvc4相同的加密?
How to reproduce ASP.NET MVC 4 password hash 如何重现ASP.NET MVC 4密码哈希
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.