0
我從http://msftdbprodsamples.codeplex.com/releases/view/55330得到了AdventureWorks2012 DB,並嘗試從Person.Password表中驗證密碼。 'PasswordHash'列描述爲「電子郵件帳戶的密碼」。和'PasswordSalt'列描述說:「在密碼被散列之前,隨機值與密碼字符串連接」。AdventureWorks2012 DB - 如何存儲密碼以及驗證密碼的方式?
下面是從數據庫中的樣本數據:
BusinessEntityID, PasswordHash, PasswordSalt, EmailAddress
---------------- --------------------------------------------------------------------------
1, pbFwXWE99vobT6g+vPWFy93NtUU/orrIWafF01hccfM=, bE3XiWw=, [email protected]
2, bawRVNrZQYQ05qF05Gz6VLilnviZmrqBReTTAGAudm0=, "EjJaC3U=, [email protected]
我怎麼知道哪個散列算法被用來創建PasswordHash?以及如何生成passwordsalt?
下面是代碼嘗試驗證密碼,但沒有任何散列算法正在工作。任何人都可以請解釋一下這個?
public class SecurityService : ISecurityService
{
public string UserName { get; set; }
public bool ValidateCredentials(string password, Password dbPassword)
{
bool valid = false;
byte[] saltBytes = Convert.FromBase64String(dbPassword.PasswordSalt); //dbPassword.PasswordSalt: bE3XiWw=
byte[] passwordBytes = Encoding.Unicode.GetBytes(password); //password: [email protected]
byte[] passwordHashBytes = Convert.FromBase64String(dbPassword.PasswordHash);//dbPassword.PasswordHash: pbFwXWE99vobT6g+vPWFy93NtUU/orrIWafF01hccfM=
byte[] passwordHashed = Hash(passwordBytes, saltBytes);
byte[] dbPasswordHashed = Hash(passwordHashBytes, saltBytes);
valid = dbPasswordHashed.SequenceEqual(passwordHashed);
return valid;
}
private static byte[] Hash(byte[] value, byte[] salt)
{
byte[] saltedValue = value.Concat(salt).ToArray();
return HashAlgorithm.Create("MD5").ComputeHash(saltedValue);
//return HashAlgorithm.Create("SHA1").ComputeHash(saltedValue);
//return HashAlgorithm.Create("SHA256").ComputeHash(saltedValue);
//return HashAlgorithm.Create("SHA384").ComputeHash(saltedValue);
//return HashAlgorithm.Create("SHA512").ComputeHash(saltedValue);
}
}
你確定在這個例子中來自電子郵件地址欄的密碼和值是相同的嗎? –
是的,這是passwordhash列的描述。 – user3851226