问题描述

我已经用C#设计了一个注册页面，所有用户都必须输入密码，然后程序将使用SHA512哈希方法将密码保存在数据库上之前对密码进行哈希处理.

I have designed a signup page in C# and all users have to enter their password then the program will hash the password before saving it on a database with a SHA512 hashing method.

现在，我想用在数据库中保存的密码来验证登录页面上输入的密码.

Now, I want to verify entered password on the login page with the saved password on database.

下面的代码是我用来哈希密码的方法.

Below code is the method that I used to hash the passwords.

现在如何在登录页面上验证输入的密码?

Now how can I verify entered password on login page???

byte[] infos = System.Text.Encoding.ASCII.GetBytes(txtPassword.Text);
infos = new System.Security.Cryptography.SHA512Managed().ComputeHash(infos);
String hash = System.Text.Encoding.ASCII.GetString(infos);

推荐答案

Sha *哈希家族不适合安全地存储密码，因为它们的速度太快并且容易被暴力破解.您应该切换到专用密码哈希函数，例如BCrypt，Argon2或PBKDF2，它们会应用盐并使用键拉伸.

The Sha* hash family is not appropriate to store passwords safely, because they are way too fast and can be brute-forced too easily. You should switch to a dedicated password-hash function like BCrypt, Argon2 or PBKDF2, which apply a salt and use key-stretching.

可通过Nuget获得良好的BCrypt库: https://www.nuget .org/packages/BCrypt.Net-Next/

A good BCrypt library is available via Nuget: https://www.nuget.org/packages/BCrypt.Net-Next/

它的用法非常直接:

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
string hashToStoreInDb = BCrypt.HashPassword(password);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from existingHashFromDb.
bool isPasswordCorrect = BCrypt.Verify(password, existingHashFromDb);

这篇关于验证C#中的SHA512哈希密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！