比较数据库中的加密密码和用户输入与加密
[英]Comparing Encrypted Passwords in Database and User Input With Encrypto
问题描述
How do I compare Encrypted passwords that I inserted in the database from the users Input? 
如何比较我从用户输入数据库中插入的加密密码? and I notice that while I was testing my program, I've created an account where they both have the same password but they have different encryptions, how would I know if the users input is the same as the one in the database? 并且我注意到,在测试程序时,我创建了一个帐户,它们都具有相同的密码,但是具有不同的加密,我如何知道用户输入的内容是否与数据库中的相同? does Encrypto do it that way? Encrypto这样做吗? or Encrypto has a distinctive way of determining which is which? 或Encrypto有一种独特的方式来确定哪个是哪个?
and am I using Encrypto right in this code? 我在这段代码中使用Encrypto吗?
var hasher = new Hasher();
hasher.SaltSize = 16;
//Encrypts The password
var encryptedPassword = hasher.Encrypt(txtPass.Text);
Account newUser = new Account();
System.Text.UTF8Encoding encoding=new System.Text.UTF8Encoding();
newUser.accnt_User = txtUser.Text;
newUser.accnt_Position = txtPosition.Text;
newUser.accnt_Pass = new System.Data.Linq.Binary(encoding.GetBytes(encryptedPassword));
2 个解决方案
解决方案1
2 已采纳 2012-02-24 20:12:51
Two identical passwords can result in different hashes because Encrypto appends a random salt to the end of the password before hashing it. 两个相同的密码可能导致不同的哈希值,因为Encrypto在对哈希进行哈希运算之前将随机盐添加到密码的末尾。
On codeplex check out the source code for Hasher.cs to see how they do this. 在Codeplex上 ,查看Hasher.cs的源代码,以了解其操作方式。 They basically use the salt to do the hash and then append the salt to the end of the hash. 他们基本上使用盐来进行哈希,然后将盐附加到哈希的末尾。 this is what you store in the DB. 这就是您存储在数据库中的内容。
When a user sets their password or a new user registers, you hash the password and store it in the DB 用户设置密码或新用户注册时,您对密码进行哈希处理并将其存储在数据库中
var hasher = new Hasher();
hasher.SaltSize = 16;
var hashedPasswordToStoreInDB = hasher.Encrypt(passwordToSet);
Later on when they log in and enter their password you compare the password that the user types to the previously hashed version retrieved from the DB like this 稍后,当他们登录并输入密码时,您将用户键入的密码与从数据库中检索到的先前哈希版本进行比较,如下所示
var hasher = new Hasher();
hasher.SaltSize = 16;
bool areEqual = hasher.CompareStringToHash(enteredPassword, hashFromDatabase);
Again, if you look at the source code ( Hasher.CompareStringToHash ) you will see that the random salt is recovered from the stored hash and then used to compute a new hash from the entered password. 再次,如果您查看源代码 ( Hasher.CompareStringToHash ),您将看到从存储的哈希中恢复随机盐,然后根据输入的密码来计算新的哈希。
解决方案2
0 2012-02-24 20:05:02
I don't know about Encrypto specially, but the general principle is this: you "salt" the password, then encrypt it, and store it to the database. 我对Encrypto并不特别了解,但是一般的原则是这样的:您先“加密”密码,然后对其进行加密,然后将其存储到数据库中。 When someone logs in, you redo the same thing : salt, encrypt, and then, compare to the other hash stored in the database. 当某人登录时,您重做相同的事情:添加盐,加密,然后与存储在数据库中的其他哈希进行比较。
The reason why two identical passwords may yield different hashes is the salt; 两个相同的密码可能产生不同的哈希的原因是盐。 you alter the password before encrypting it, so that looking at the hashes only makes it harder to figure your hashing mechanism. 您需要在加密之前更改密码,以便仅查看散列值就很难确定哈希机制。 The salt can be always the same (poor security), function of the username, or function of another random string that you store along with the encrypted password in the database. 盐可能始终是相同的(安全性较差),用户名的功能或与加密密码一起存储在数据库中的另一个随机字符串的功能。
Again, I don't know Encrypto, but just use the same logic you used to generate the hash in the database when you want to compare with user input password. 同样,我不了解Encrypto,但是当您想与用户输入的密码进行比较时,只需使用与在数据库中生成哈希值相同的逻辑即可。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.