stackoom
  简体   繁体   中英

storing passwords in sql server database using ef core code first

 原文  2017-03-06 19:59:35       c#/ authentication/ passwords/ asp.net-core-mvc

Question

I have this class to represent my users: 

public class User
{
    public int ID {get; set;}
    public string UserName {get; set;}
    [DataType(DataType.Password)]
    public string Password {get; set;}
}

A simplistic version of my register method looks like this: 

[HttpPost]
Register(User newUser)
{
    ...
    _context.add(newUser);
    await _context.SaveChangesAsync();
    ...
}

So my question is: Should I alter the password type from a regular string before storing? If so, to what data type?

2 answers

solution1
 5 ACCPTED  2017-03-06 20:03:47

YES YES YES

Never store passwords as plain text

While much of this is a security discussion rather than a programming one, you should only be storing a secure hash (PBKDF2, Argon, and Bcrypt are current standards) along with a unique salt used for that hash.

Storing it as you are is just asking someone to steal your database and get all your users passwords without any more effort than reading the Password column (which they probably reused a million other places).

Its still OK to store it as string though.

The DataType.Password is just an annotation for consumers of your class to read. (per https://msdn.microsoft.com/en-us/library/system.componentmodel.dataannotations.datatype(v=vs.110).aspx ). It does not enhance security from a storage/database perspective.

solution2
 1  2017-03-06 20:06:58

You should never store a password in the database if you can avoid it. Best practice is to store a salted, irreversible hash of the password.

Typically this would be a SHA2 or PBKDF2, or whatever of the password salted with something that cannot change about the user-- eg the ID of the record.

You would store the has typically as a varbinary(32) or whatever length your hash algorithm uses.

This approach means that you cannot determine a user's password, since it is irreversible. To test a password of someone attempting to login, perform the same hash with the same salt, and test if the result is the same as what you have in your database. This way, a hacker who gets your database cannot figure out what each user's password is, but you can still test if a user knows their own password.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Storing DateTimeOffset value without milliseconds in SQL Server using EF Core How to update database on remote ms sql server (EF Code First) Storing list of objects in a SQL Server database with code-first Database creation with EF Core + Code First + migrations Using SQL Server json properties with code first EF Exception using Linq query with EF Code first on SQL Server table How to create database in Microsoft SQL Server using linq2db by code first approach in .NET CORE 2.2 Storing DateTime property instead of byte array in SQL table using Code-First MVC5 EF6 EF Code First: Cannot connect to SQL Server EF Core 3.1 DB First to Code First update old database
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM