如何在 C# Windows 窗体应用程序中轻松添加密码?

发布于 2024-09-05 17:40:58 字数 61 浏览 4 评论 0原文

如何轻松地从 Textbox.Text 中添加密码?

.NET 框架中有一些内置的魔法吗?

How can I easily salt a password from a Textbox.Text?

Are there some built in wizardry in the .NET framework?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

太阳哥哥 2024-09-12 17:40:58

不久前,我们就对密码加盐时的最佳实践进行了一次精彩的讨论,您可能会在那里找到一些很棒的想法:

对您的密码加盐:最佳实践?

我发现最简单且相当安全的方法之一是使用 GUID 作为您的加盐。它是随机的并且足够长。如果包含 GUID 的字符串格式(“{”和“-”字符),效果最佳,但并非必须如此。

请记住,每个加盐项目的盐必须是唯一的,为了最安全,您应该使用加密安全的随机数生成器。还请记住,您必须将盐与密码一起存储,否则您将无法根据哈希版本检查明文版本!如果您愿意,您可以不加密地存储盐;我通常将其与密码放在同一个表的字段中。盐的目的不是保持隐藏,而是使彩虹表难以(希望不可能)及时计算。

下面是一个适用于 C# 的快速片段:

RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buffer = new byte[1024];

rng.GetBytes(buffer);
string salt = BitConverter.ToString(buffer);
var saltedPassword = password + salt;

或者...

var salt = Guid.NewGuid().ToString();
var saltedPassword = password + salt;

We had a great discussion a while ago about best practices when salting a password, you might find some great ideas there:

Salting Your Password: Best Practices?

I've found that one of the easiest, while still being fairly secure, is to use a GUID as your salt. It's random and sufficiently long. It works best if you include the string formatting of the GUID (the '{' and '-' characters), but you don't have to.

Remember that the salt has to be unique per item salted and that to be most secure, you should use a cryptographically secure random number generator. Remember also that you have to store your salt along with the password, or you won't be able to check the plaintext version against the hashed version! You can store the salt un-encrypted if you like; I typically put it in a field on the same table as the password. The purpose of the salt isn't to remain hidden, it's to make rainbow tables difficult (hopefully impossible) to compute in a timely manner.

Here's a quick snippet that will work in C#:

RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buffer = new byte[1024];

rng.GetBytes(buffer);
string salt = BitConverter.ToString(buffer);
var saltedPassword = password + salt;

or...

var salt = Guid.NewGuid().ToString();
var saltedPassword = password + salt;
尘曦 2024-09-12 17:40:58

我想您是在要求用户名和密码吗?

在某些系统中,用户名用作盐。 (我认为这样做是可以的。)
否则,您需要将盐存储在某处并在散列之前检索它(在随机创建盐的情况下),或者有一个算法将为同一用户返回相同的盐(并且仅仅使用普通的盐并不更好)用户名)。

个人使用如下代码:

byte[] GetSaltedPasswordHash(string username, string password)
{
    byte[] pwdBytes = Encoding.UTF8.GetBytes(password);
    // byte[] salt = BitConverter.GetBytes(userId);
    byte[] salt = Encoding.UTF8.GetBytes(username);
    byte[] saltedPassword = new byte[pwdBytes.Length + salt.Length];

    Buffer.BlockCopy(pwdBytes, 0, saltedPassword, 0, pwdBytes.Length);
    Buffer.BlockCopy(salt, 0, saltedPassword, pwdBytes.Length, salt.Length);

    SHA1 sha = SHA1.Create();

    return sha.ComputeHash(saltedPassword);
}

I suppose you are asking for a username along with the password?

In some systems username is used as a salt. (And I think it is OK to do that.)
Otherwise you'll need to have your salt stored somewhere and retrieve it before hashing (in case of random-created salt) or have an algorithm which will return the same salt for the same user (and it is not better that just using a plain username).

Personally use the following code:

byte[] GetSaltedPasswordHash(string username, string password)
{
    byte[] pwdBytes = Encoding.UTF8.GetBytes(password);
    // byte[] salt = BitConverter.GetBytes(userId);
    byte[] salt = Encoding.UTF8.GetBytes(username);
    byte[] saltedPassword = new byte[pwdBytes.Length + salt.Length];

    Buffer.BlockCopy(pwdBytes, 0, saltedPassword, 0, pwdBytes.Length);
    Buffer.BlockCopy(salt, 0, saltedPassword, pwdBytes.Length, salt.Length);

    SHA1 sha = SHA1.Create();

    return sha.ComputeHash(saltedPassword);
}
最佳男配角 2024-09-12 17:40:58

这是一篇好文章另一个(更适合 ASP.NET 应用程序)。

Here's a nice article and another one (which is more adapted to ASP.NET applications).

手心的温暖 2024-09-12 17:40:58

没有什么魔法,盐只是附加到密码上的一些随机文本,用于抵御字典攻击 - 编造你自己的胡言乱语。

There is no wizardry, a salt is simply some random text appended to a password to defeat dictionary attacks - make up your own jibberish.

静水深流 2024-09-12 17:40:58

查看 hmac 函数,例如 hmacdm5hmacsha1 或 hmacsha256
还要查看 System.Security.Cryptography 命名空间。

Have a look at the hmac functions like hmacdm5, hmacsha1 or hmacsha256.
Look at the System.Security.Cryptography namespace, too.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文