如何在C#windows窗体应用程序中轻松加密密码?
[英]How to easily salt a password in a C# windows form application?
问题描述
How can I easily salt a password from a Textbox.Text? 
如何轻松地从Textbox.Text中获取密码?
Are there some built in wizardry in the .NET framework? .NET框架中是否有一些内置的魔法?
5 个解决方案
解决方案1
10 已采纳 2010-06-17 15:44:16
We had a great discussion a while ago about best practices when salting a password, you might find some great ideas there: 我们前一段时间就盐渍密码的最佳实践进行了很好的讨论,你可能会在那里找到一些好主意:
Salting Your Password: Best Practices? 保存密码:最佳实践?
I've found that one of the easiest, while still being fairly secure, is to use a GUID as your salt. 我发现最简单的一个,虽然仍然相当安全,但是使用GUID作为你的盐。 It's random and sufficiently long. 它是随机的,足够长。 It works best if you include the string formatting of the GUID (the '{' and '-' characters), but you don't have to. 如果您包含GUID的字符串格式(“{”和“ - ”字符),则效果最佳,但您不必这样做。
Remember that the salt has to be unique per item salted and that to be most secure, you should use a cryptographically secure random number generator. 请记住,盐对于每个盐渍物品必须是唯一的,并且为了最安全,您应该使用加密安全随机数生成器。 Remember also that you have to store your salt along with the password, or you won't be able to check the plaintext version against the hashed version! 还要记住,您必须将盐与密码一起存储,否则您将无法根据哈希版本检查纯文本版本! You can store the salt un-encrypted if you like; 如果您愿意,可以将盐保存为未加密的; I typically put it in a field on the same table as the password. 我通常将它放在与密码相同的表中的字段中。 The purpose of the salt isn't to remain hidden, it's to make rainbow tables difficult (hopefully impossible) to compute in a timely manner. 盐的目的不是保持隐藏,而是让彩虹表很难(希望不可能)及时计算。
Here's a quick snippet that will work in C#: 这是一个可以在C#中使用的快速代码段:
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buffer = new byte[1024];
rng.GetBytes(buffer);
string salt = BitConverter.ToString(buffer);
var saltedPassword = password + salt;
or... 要么...
var salt = Guid.NewGuid().ToString();
var saltedPassword = password + salt;
解决方案2
4 2010-06-17 16:48:08
I suppose you are asking for a username along with the password? 我想你要求用户名和密码?
In some systems username is used as a salt. 在某些系统中,用户名用作盐。 (And I think it is OK to do that.) Otherwise you'll need to have your salt stored somewhere and retrieve it before hashing (in case of random-created salt) or have an algorithm which will return the same salt for the same user (and it is not better that just using a plain username). (我认为这样做是可以的。)否则你需要将盐存储在某处并在散列之前检索它(如果是随机创建的盐)或者有一个算法将返回相同的盐用户(仅使用普通用户名并不是更好)。
Personally use the following code: 个人使用以下代码:
byte[] GetSaltedPasswordHash(string username, string password)
{
byte[] pwdBytes = Encoding.UTF8.GetBytes(password);
// byte[] salt = BitConverter.GetBytes(userId);
byte[] salt = Encoding.UTF8.GetBytes(username);
byte[] saltedPassword = new byte[pwdBytes.Length + salt.Length];
Buffer.BlockCopy(pwdBytes, 0, saltedPassword, 0, pwdBytes.Length);
Buffer.BlockCopy(salt, 0, saltedPassword, pwdBytes.Length, salt.Length);
SHA1 sha = SHA1.Create();
return sha.ComputeHash(saltedPassword);
}
解决方案4
0 2010-06-17 15:37:36
没有魔法,盐只是一些随机文字附加到密码来打败字典攻击 - 弥补你自己的乱码。
解决方案5
0 2010-06-17 15:37:45
Have a look at the hmac functions like hmacdm5 , hmacsha1 or hmacsha256 . 看看hmac函数,如hmacdm5 , hmacsha1或hmacsha256 。
Look at the System.Security.Cryptography namespace, too. 请查看System.Security.Cryptography命名空间。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.