使用 GetHashCode 来“保护”用户密码
[英]Using GetHashCode to “secure” users passwords
问题描述
The company I work for has taken on a support contract for a large order processing system.
我工作的公司签订了一份大型订单处理系统的支持合同。 As part of the initial system audit I noticed that the passwords stored in the database were actually the hashcode of the password.作为初始系统审核的一部分,我注意到存储在数据库中的密码实际上是密码的哈希码。
Essentially:本质上:
string pwd = "some pasword";
string securePwd = pwd.GetHashCode();
My question is, how secure or otherwise is this?我的问题是,这有多安全?
I'm not comfortable with it, but I don't know enough about how GetHashCode works.我对此感到不舒服,但我对 GetHashCode 的工作原理知之甚少。 I would prefer to use something like an MD5 hash, but if I'm wasting my time then I won't bother.我更喜欢使用像 MD5 hash 这样的东西,但如果我在浪费时间,我就不会打扰。
6 个解决方案
解决方案1
5 2009-03-04 10:55:00
You should use a salted, cryptographically strong hash, such as SHA256Managed .您应该使用加盐的、加密性强的 hash,例如SHA256Managed 。
Jeff Attwood has a few good posts on this topic: Jeff Attwood 有一些关于这个主题的好帖子:
解决方案2
5 2009-03-04 10:58:09
It's not just insecure, but also subject to change:它不仅不安全,而且可能会发生变化:
http://netrsc.blogspot.com/2008/08/gethashcode-differs-on-systems.html http://netrsc.blogspot.com/2008/08/gethashcode-differs-on-systems.html
The value returned by GetHashValue for a given input has changed in the past. GetHashValue 为给定输入返回的值在过去发生了变化。
There's no guarantee it will even be the same between different executions of the app.无法保证在应用程序的不同执行之间它甚至是相同的。
解决方案3
4 已采纳 2009-03-04 10:54:19
GetHashCode returns a 32 bit integer as the hash value. GetHashCode返回一个 32 位 integer 作为 hash 值。 Considering the birthday paradox , it's not a long enough hash value due to the relatively high probability of collisions, even if it were explicitly designed to be collision resistant, which is not.考虑到生日悖论,由于碰撞概率相对较高,它的 hash 值不够长,即使它被明确设计为抗碰撞,但事实并非如此。
You should go for SHA256 or another cryptographically secure hash function designed to handle such a task.您应该 go 用于 SHA256 或其他加密安全 hash function 旨在处理此类任务。
To store passwords, just using a simple hash function is not enough.要存储密码,仅使用简单的 hash function 是不够的。 You should add some random "salt" per user and iterate enough times so that it would be computationally expensive to brute force.您应该为每个用户添加一些随机的“盐”并迭代足够多的时间,这样蛮力的计算成本就会很高。 Therefore, you should use something like bcrypt, scrypt , PBKDF2, with a large number of iterations.因此,您应该使用具有大量迭代的 bcrypt、 scrypt 、PBKDF2 之类的东西。
解决方案4
2 2009-03-04 11:37:59
解决方案5
1 2009-03-04 10:59:13
GetHashCode was definitely not designed to be used in this way as the implementation does not guarantee different hash returns for different objects. GetHashCode 绝对不是为了以这种方式使用而设计的,因为实现不保证不同对象的不同 hash 返回。 This means that potentially multiple passwords could produce the same hash.这意味着多个密码可能会产生相同的 hash。 It also isn't guaranteed to return the same hash value on different versions of the .NET framework meaning that an upgrade could potentially produce a different hash for the same string, rendering your passwords unusable to you.也不能保证在不同版本的 .NET 框架上返回相同的 hash 值,这意味着升级可能会产生不同的 hash 对于相同的字符串,使您的密码无法使用。
It is recommended that you use a salted hash or even MD5 at a push.建议您一推就使用盐渍 hash 甚至 MD5。 You can easily switch it to something within the Security.Cryptography namespace.您可以轻松地将其切换到Security.Cryptography命名空间中的内容。
解决方案6
1 2009-03-04 11:21:20
As others have said, GetHashCode isn't designed for what you're trying to do.正如其他人所说,GetHashCode 不是为您想要做的事情而设计的。 There is a really excellent article on how to handle user passwords securely .有一篇关于如何安全处理用户密码的非常好的文章。
To summarise the article, you need to use either a relatively slow adaptive hashing scheme such as bcrypt , or alternatively the Stanford Secure Remote Password Protocol .总结这篇文章,您需要使用相对较慢的自适应散列方案,例如bcrypt ,或者斯坦福安全远程密码协议。 I would suggest the former.我建议前者。 And of course you should also use a salt.当然,您还应该使用盐。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.