从数据库中检索哈希密码到文本
[英]Retrieve the hashed password from the database to the text
问题描述
我想Forgot your password? 在程序中,我已经可以从数据库中检索散列的用户名和密码,并将其发送给电子邮件用户(我以自己的电子邮件地址作为用户),但是我收到的电子邮件仍然是实际存储的散列密码在数据库中(不是哈希之前的实际密码),一旦我不知道如何检索实际密码,我得到的是错误(布尔值)或哈希密码。
你们能帮我吗?
这是我正在使用的代码:
下面的代码用于检索信息: (SystemManager类)
public static void RecoverMember(string _value1, string _selectedIndex, string _value2, Form _windowsForm, TextBox _windowsTextBox)
{
using (OleDbConnection connection = new OleDbConnection(connectionString))
{
string query = "SELECT * FROM [Member] WHERE [Email] = @Email";
connection.Open();
using (OleDbCommand command = new OleDbCommand(query, connection))
{
command.Parameters.Add("@Email", OleDbType.VarChar);
command.Parameters["@Email"].Value = _value1;
using (OleDbDataReader reader = command.ExecuteReader())
{
if (reader.Read())
{
UserInformation.FirstName = (string)reader["FirstName"];
UserInformation.LastName = (string)reader["LastName"];
UserInformation.Name = (string)reader["Username"];
string securityQuestion = (string)reader["SecurityQuestion"];
string securityAnswer = (string)reader["SecurityAnswer"];
string password = (string)reader["Password"];
_isValidRecoverSecurityQuestion = BCrypt.ValidateHash(_selectedIndex, securityQuestion);
_isValidRecoverSecurityAnswer = BCrypt.ValidateHash(_value2, securityAnswer);
_recoveredPassword = BCrypt.ValidateHash(password, password);
UserInformation.Password = Convert.ToString(_recoveredPassword);
if (_isValidRecoverSecurityQuestion && _isValidRecoverSecurityAnswer)
{
Authenticate _authenticate = new Authenticate();
_authenticate.ShowDialog();
ShowMessageBox("Your credentials has been sent to your email.", "Success", 2);
SendRecoverCredentials(_value1);
_windowsForm.Hide();
_windowsForm.Close();
}
}
if (!_isValidRecoverSecurityQuestion || !_isValidRecoverSecurityAnswer)
{
Authenticate _authenticate = new Authenticate();
_authenticate.ShowDialog();
ShowMessageBox("Either your email, security question or answer incorrect. Please try again.", "Error", 1);
ClearTextBoxes(_windowsForm.Controls);
_windowsTextBox.Focus();
}
reader.Close();
}
}
connection.Close();
}
}
以下代码用于向用户发送电子邮件: (SystemManager类)
public static void SendRecoverCredentials(string _to)
{
try
{
SmtpClient _smtp = new SmtpClient();
MailMessage _message = new MailMessage();
_message.From = new MailAddress("credentialhelper@gmail.com", "SIA - Point of Sales - Support -");
_message.To.Add(new MailAddress(_to, UserInformation.FirstName + " " + UserInformation.LastName));
_message.Subject = "Credentials Recover";
_message.Body = "Dear " + UserInformation.FirstName + " " + UserInformation.LastName + "," +
"\n\n\nBelow are your credentials:" + "\n\n\n\n" + "Username: " + UserInformation.Name + "\nPassword: " + UserInformation.Password +
"\n\n\n\nTo avoid for the future message been moved to the spam or junk folder, please add credentialhelper@gmail.com to be your contact list." +
"\n\n\n*** This is an automatically computer generated message, please do not reply to this message ***";
_smtp.Port = 587;
_smtp.Host = "smtp.gmail.com";
_smtp.EnableSsl = true;
_smtp.UseDefaultCredentials = false;
_smtp.Credentials = new NetworkCredential("credentialhelper@gmail.com", "(the password does not shown in here)");
_smtp.DeliveryMethod = SmtpDeliveryMethod.Network;
_smtp.Send(_message);
ShowMessageBox("Your message has been successfully sent.", "Success", 2);
}
catch (Exception ex)
{
ShowMessageBox("Message : " + ex + "\n\nEither your e-mail or password incorrect. (Are you using Gmail account?)", "Error", 1);
}
}
这是我将其用于的位置:( 恢复表单)
// button1_Click is for the Submit button
void button1_Click(object sender, EventArgs e)
{
if (this.textBox1.Text == string.Empty || string.IsNullOrWhiteSpace(this.textBox1.Text))
{
SystemManager.ShowMessageBox("E-mail required.", "Information", 2);
}
else if (_isCheckedEmail != true)
{
SystemManager.ShowMessageBox("You have to check the validity of your e-mail before proceed.", "Information", 2);
}
else if (this.textBox2.Text == string.Empty || string.IsNullOrWhiteSpace(this.textBox2.Text))
{
SystemManager.ShowMessageBox("Security Answer required.", "Information", 2);
}
else
{ // textBox1 is for the e-mail field
// comboBox1 is for the security question field
// textbox2 is for the security answer field
SystemManager.RecoverMember(this.textBox1.Text, this.comboBox1.Text, this.textBox2.Text, this, this.textBox1);
}
}
这是恢复表单的设计者 :
//CheckValidity button is for the check whether the e-mail is valid or
not. //Reset button is for clear the textboxes in the form.
这是数据库图像以及电子邮件消息:
非常抱歉,冗长的帖子。 非常感谢您的回答。 非常感谢你。
更新1:
如果我更改Password: UserInformation.Password来自
_message.Body = "Dear " + UserInformation.FirstName + " " + UserInformation.LastName + "," +
"\n\n\nBelow are your credentials:" + "\n\n\n\n" + "Username: " + UserInformation.Name + "\nPassword: " + UserInformation.Password +
"\n\n\n\nTo avoid for the future message been moved to the spam or junk folder, please add credentialhelper@gmail.com to be your contact list." +
"\n\n\n*** This is an automatically computer generated message, please do not reply to this message ***";
要Password: _recoveredPassword 。
我得到的是显示的是hashed password ,而不是false 。
2 个解决方案
解决方案1
6 已采纳 2014-10-30 07:24:18
散列的全部要点是,它是一种方法- 无法从散列中检索原始密码。
“忘记密码”功能不应该通过电子邮件发送当前密码的用户...它应该产生一个临时的“复位只有”密码(最好有一个短的过期),并通过电子邮件向用户,链接内。 然后,用户点击链接,该链接使他们可以将密码设置为新的“完整”密码。 (您确实不希望通过电子邮件发送的“秘密”作为长期密码。)
通过电子邮件发送任何敏感内容的事实在某种程度上是不理想的……如果这是用于非常敏感的数据,则您不希望该电子邮件本身足以更改密码(或登录)-它会如果将其与当用户请求重设链接时显示在页面上的浏览器上显示的某些代码结合使用,会更好。 然后是两因素身份验证以及各种其他安全选项……但是至少,重置链接才是开始。
您绝对不应通过电子邮件发送用户输入自己的密码的明文版本。 (当其他站点这样做时,我会感到非常恼火。)虽然许多用户知道他们不应该在多个站点上使用相同的密码,但他们仍然经常这样做-因此,如果该电子邮件被截获,您不仅会把他们的帐户放在您的网站面临风险,但其他网站也可能面临风险。
解决方案2
1 2014-10-30 07:27:55
散列是一种单向操作。 我们无法从拥有的哈希值中获取原始字符串。 因此,在处理登录流程时,我们应该比较哈希值(存储在db中的哈希值和用户输入的哈希值之间)。
BCrypt算法:从数据库返回哈希密码进行比较是否很好?
[英]BCrypt algorithm: Is it good to return hashed password from database for comparision?
验证输入的用户密码是否与登录页面C#asp.net上数据库的哈希密码匹配
[英]Verify input user password matches hashed password from database on login page c# asp.net
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.