HashPasswordForStoringInConfigFile - 相同密码的不同哈希值
我最近在我正在从事的一个项目中对我的密码实施了哈希,但我似乎无法弄清楚出了什么问题。
看来 HashPasswordForStoringInConfigFile() 函数为同一密码返回不同的值。
我实现了以下代码,它实际上非常类似于 MSDN 文档上使用的推荐算法。
我知道 SHA1 散列被认为不是很安全,但这是用于研究应用,目前我并不太担心。
public const int DefaultSaltSize = 5;
private static string CreateSalt()
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buffer = new byte[DefaultSaltSize];
rng.GetBytes(buffer);
return Convert.ToBase64String(buffer);
}
public static string CreateHash(string password)
{
string salt = CreateSalt();
string saltAndPassword = String.Concat(password, salt);
string hashedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPassword,"SHA1");
hashedPassword = string.Concat(hashedPassword,salt);
return hashedPassword;
}
public static bool VerifyPassword(string username, string password,AccountDataContext context)
{
var user = context.UserAccounts.FirstOrDefault(p => p.UserName == username);
if (user != null)
{
string salt = user.Password.Substring(user.Password.Length - DefaultSaltSize);
string hashedPassword = CreateHash(password);
return hashedPassword.Equals(user.Password);
}
return false;
}
简而言之,如果我有以下代码。
string password1 = "password";
string password2 = "password";
var hashedPassword1 = CreateHash(password1);
var hashedPassword2 = CreateHash(password2);
var match = hashedPassword1.Equals(hashedPassword2);
//match should be True, but it is turning out False.
看来 FormsAuthenticationForStoringInConfigFile() 没有在 CreateHash() 方法中为 password1 和 password2 返回相同的哈希值。
我知道应用了盐后它们并不相同,但如果您在代码中看到,我会在比较两个散列密码是否相等之前删除盐。
是什么可能导致密码 1 和密码 2 的哈希值不同?
I have recently implemented Hashing for my passwords in a project I am working on, and I cant seem to figure out what is going wrong.
It seems that the HashPasswordForStoringInConfigFile() function is returning different values for the same password.
I have the following code implemented which actually closely resembles the recommended algorithm to use on the MSDN documentation.
I know that SHA1 hashing is not considered very safe, but this is for a research application, and I am not too worried about it at this point.
public const int DefaultSaltSize = 5;
private static string CreateSalt()
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buffer = new byte[DefaultSaltSize];
rng.GetBytes(buffer);
return Convert.ToBase64String(buffer);
}
public static string CreateHash(string password)
{
string salt = CreateSalt();
string saltAndPassword = String.Concat(password, salt);
string hashedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPassword,"SHA1");
hashedPassword = string.Concat(hashedPassword,salt);
return hashedPassword;
}
public static bool VerifyPassword(string username, string password,AccountDataContext context)
{
var user = context.UserAccounts.FirstOrDefault(p => p.UserName == username);
if (user != null)
{
string salt = user.Password.Substring(user.Password.Length - DefaultSaltSize);
string hashedPassword = CreateHash(password);
return hashedPassword.Equals(user.Password);
}
return false;
}
Simply put, If I have the following code.
string password1 = "password";
string password2 = "password";
var hashedPassword1 = CreateHash(password1);
var hashedPassword2 = CreateHash(password2);
var match = hashedPassword1.Equals(hashedPassword2);
//match should be True, but it is turning out False.
It seems that the FormsAuthenticationForStoringInConfigFile() is not returning the same hash for password1 and password2 in the CreateHash() method.
I understand with the salt applied they are not the same, but if you see in the code, I am removing the salt before comparing the two hashedPasswords for equality.
What could possibly be causing password1 and password2 from being hashed differently?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您的代码在散列之前已向密码添加了盐(随机值)。这是一件好事。
这意味着如果用户 A 和用户 B 使用相同的密码,则密码哈希值仍然不同。
您的VerifyPassword方法没有使用原始盐来哈希密码以进行比较 - 而是调用
CreateHash,后者调用CreateSalt并创建新的盐。你可以尝试这样的事情:
Your code has added salt (a random value) to the password before hashing. This is a good thing.
It means that if user A and user B use the same password, the password hashes will nevertheless be different.
Your VerifyPassword method is not using the original salt to hash the password for comparing - instead it calls
CreateHash, which callsCreateSaltand creates new salt.You might try something like:
尽管VerifyPassword看起来像是剥离了未散列字符串的盐部分,但您所说的应该返回 true 的代码实际上并没有调用VerifyPassword。
您的代码只是生成两个加盐哈希值,然后使用 String.Equals 来比较它们。
当您使用VerifyPassword而不是String.Equals时会发生什么?
Even though VerifyPassword looks like it's stripping off the salt portion of the unhashed string, but the code you say should return true doesn't actually call VerifyPassword.
Your code simply generates two salted hashes and then uses String.Equals to compare them.
What happens when you use VerifyPassword instead of String.Equals?
这段代码也根本不起作用。为什么它被标记为正确答案?
Salt 的默认长度设置为 5
创建 Salt,当它采用 5 字节数组到字符串时,它会变成 8 个字符而不是 5
验证密码,然后盐只需要 5 个字符而不是 8,因此验证将始终失败,因为它使用的是 5盐的字符,而不是用于创建散列密码的 8。
下面是使上述代码正常工作的更新代码。
我就是这么称呼它的。
只要密码匹配就返回 true,否则返回 false。
这给了你我认为的意图,它不仅包括散列内部的盐,而且还将它添加到散列的外部,这样它就可以作为 1 列值存储在数据库中,然后用于重新创建散列用户使用存储的盐值输入密码并获得匹配。
This code doesn't work at all either. Why is it marked as being the correct answer?
The default length of Salt is set to 5
Create Salt when it takes a 5 byte array to a string it becomes 8 characters not 5
Verify Password then takes only 5 characters off for the salt not 8 so the verify will always fail as it's using 5 characters for the salt and not the 8 that was used to create the hashed password.
Below is updated code to make the above code work.
This is how I called it.
As long as the passwords match it returns true otherwise it will return false.
This gives you what I think was intended which was not only to include the salt inside of the hash but also add it to the outside of the hash so it all could be stored as 1 column value in a database and then used to recreate the hash on the user entered password using the stored salt value and get a match.