问题描述
我已经用C#设计了一个注册页面,所有用户都必须输入密码,然后程序将使用SHA512哈希方法将密码保存在数据库上之前对密码进行哈希处理.
I have designed a signup page in C# and all users have to enter their password then the program will hash the password before saving it on a database with a SHA512 hashing method.
现在,我想用在数据库中保存的密码来验证登录页面上输入的密码.
Now, I want to verify entered password on the login page with the saved password on database.
下面的代码是我用来哈希密码的方法.
Below code is the method that I used to hash the passwords.
现在如何在登录页面上验证输入的密码?
Now how can I verify entered password on login page???
byte[] infos = System.Text.Encoding.ASCII.GetBytes(txtPassword.Text);
infos = new System.Security.Cryptography.SHA512Managed().ComputeHash(infos);
String hash = System.Text.Encoding.ASCII.GetString(infos);
推荐答案
Sha *哈希家族不适合安全地存储密码,因为它们的速度太快并且容易被暴力破解.您应该切换到专用密码哈希函数,例如BCrypt,Argon2或PBKDF2,它们会应用盐并使用键拉伸.
The Sha* hash family is not appropriate to store passwords safely, because they are way too fast and can be brute-forced too easily. You should switch to a dedicated password-hash function like BCrypt, Argon2 or PBKDF2, which apply a salt and use key-stretching.
可通过Nuget获得良好的BCrypt库: https://www.nuget .org/packages/BCrypt.Net-Next/
A good BCrypt library is available via Nuget: https://www.nuget.org/packages/BCrypt.Net-Next/
它的用法非常直接:
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
string hashToStoreInDb = BCrypt.HashPassword(password);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from existingHashFromDb.
bool isPasswordCorrect = BCrypt.Verify(password, existingHashFromDb);
这篇关于验证C#中的SHA512哈希密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!