堆栈内存溢出
  简体   繁体   English

如果用户知道哈希算法,如何在本地将密码存储在文本文件中并防止用户重置密码?

[英]How to locally store password in a text file and prevent user resetting password if they know the hashing algorithm?

 原文  2022-11-16 20:57:02       c#/ security/ passwords/ password-protection

问题描述

The goal:目标:

  • Store usernames, hash salt & hashed password in a text file在文本文件中存储用户名、hash 盐和散列密码
  • Allow user to copy and paste the file to other computers that are running the same application允许用户将文件复制并粘贴到运行相同应用程序的其他计算机
  • Catch if a user edits the text file and replaces the hashed password, effectively resetting a password to whatever they want, for any user.如果用户编辑文本文件并替换散列密码,有效地将任何用户的密码重置为他们想要的任何密码,则捕获。

The problem: If I store usernames, hash salt & hashed password a user can reset the password assuming they know the hashing algorithm.问题:如果我存储用户名、hash salt 和散列密码,假设用户知道散列算法,则可以重置密码。 I could add an extra step, like hash(password, salt, "X") where "X" is just a constant value getting added to the password and salt.我可以添加一个额外的步骤,比如hash(password, salt, "X") ,其中 "X" 只是一个常量值,被添加到密码和盐中。 This value "X" could be hardcoded into the application.这个值“X”可以硬编码到应用程序中。 However, this is security through obscurity, which is "fine" until this "custom" hashing algorithm is figured out / exposed.然而,这是通过模糊实现的安全性,在这个“自定义”哈希算法被弄清楚/公开之前,这是“很好的”。

Is there a way to accomplish these goals even if the users knew the hashing algorithms being used?即使用户知道正在使用的散列算法,是否有办法实现这些目标?

It sounds like a use case for a private key that must be kept secret, but are there other options?这听起来像是必须保密的私钥用例,但还有其他选择吗?

This was a great Q&A but it doesn't have a solution for moving files: How to securely save username/password (local)?这是一个很棒的问答,但它没有移动文件的解决方案: How to securely save username/password (local)?

1 个解决方案

解决方案1
 1  2022-11-16 21:43:22

I would look into digitally signing the file.我会考虑对文件进行数字签名。

Wiki on Digital Signing数字签名维基

If you have access to something like AES crypto suite it would be fairly easy to generate a privKey/pubKey pair and sign your password file to ensure it is not tampered with, you would of course need to resign the file anytime legitimate changes are made to it.如果您可以访问 AES 加密套件之类的东西,那么生成一个 privKey/pubKey 对并签署您的密码文件以确保它不被篡改会相当容易,您当然需要在任何时候对文件进行合法更改时退出该文件它。

I should mention using the private key to sign inside the application means the key to a certain extent is vulnerable to being extracted by users.我应该提到使用私钥在应用程序内部签名意味着密钥在一定程度上容易被用户提取。 You need to decide for yourself how secure your system needs to be.您需要自己决定您的系统需要多安全。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在本地正确存储密码 - How to properly store password locally Rijndael算法替代密码散列 - Rijndael algorithm alternative for password hashing 成员资格:重置用户密码 - Membership: Resetting user password Windows应用商店中的密码哈希 - Password hashing in Windows store app 散列用户密码 - 身份服务器 - Hashing user password - Identity Server 散列密码算法和程序的实际运行 - Hashing password algorithm and actual running of the program 如何更改仅适用于正确用户的存储在文本文件中的用户名和密码 - how to change a username and password stored in a text file only for the correct user 从用户的密码和现时值中散列密码 - Hashing a password from user's password and nonce value 使用Microsoft Graph重置用户密码 - Resetting a user's password using Microsoft Graph 如何调用HashPassword并将用户密码存储到数据库? - How to Call to HashPassword and to store User password to database?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM