tl;博士使用密钥派生函数，如 bcrypt、scrypt 或(如果您需要 FIPS 合规性)) PBKDF2 的工作系数足以使单个密码的散列时间接近 1000 毫秒或更长.如今，散列很容易暴力破解，近代历史上有大量数据泄露的例子.为了防止您的用户的密码在下一次黑客攻击中最终出现在 pastebin 上，请确保使用需要 足够长的时间来计算的函数对密码进行散列！尝试使用 IdentityReboot 或 Troy Hunt 谈到的来自 Microsoft 的新实现至少.同样有趣的是，在上面提到的同一个谷歌结果中，我发现了一个 教程向人们展示了使用 JtR 或 Hashcat 等流行工具暴力破解这些密码哈希是多么容易.在自定义 GPU 设备上，SHA1 可以以 惊人的每秒 48867 百万哈希的速度破解em>！ 使用像 rockyou 之类的免费词典，一个有动力的人，拥有您的数据库将很快拥有您的大部分用户密码.作为开发人员，您有道德责任采取必要措施保护用户密码的安全.默认散列是 SHA1，但他们也对它进行加盐和 base64:public string EncodePassword(string pass, string salt){byte[] bytes = Encoding.Unicode.GetBytes(pass);byte[] src = Encoding.Unicode.GetBytes(salt);字节[] dst = 新字节[src.Length + bytes.Length];Buffer.BlockCopy(src, 0, dst, 0, src.Length);Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);HashAlgorithm 算法 = HashAlgorithm.Create("SHA1");byte[] inArray = algorithm.ComputeHash(dst);返回 Convert.ToBase64String(inArray);}如果您想了解有关如何更改它的更多信息，我仍然需要了解(除非使用自定义提供程序，请参见下文)，但是 SHA-1 现在非常好.如果您想反转它或从中查找这些人在这方面做了一些工作:http://forums.asp.net/p/1336657/2899172.aspx如果可能需要，此 SO 问题将有助于逆转或复制此技术.在 Ruby 中重新实现 ASP.NET 成员身份和用户密码哈希如果您要创建自定义提供程序，则可以创建散列和加密算法和方法.private byte[] ConvertPasswordForStorage(string Password){System.Text.UnicodeEncoding ue =新 System.Text.UnicodeEncoding();byte[] uePassword = ue.GetBytes(Password);byte[] RetVal = null;开关(_PasswordFormat){案例 MembershipPasswordFormat.Clear:RetVal = uePassword;休息;案例 MembershipPasswordFormat.Hashed:HMACSHA1 SHA1KeyedHasher = 新 HMACSHA1();SHA1KeyedHasher.Key = _ValidationKey;RetVal = SHA1KeyedHasher.ComputeHash(uePassword);休息;案例 MembershipPasswordFormat.Encrypted:TripleDESCryptoServiceProvidertripleDes = 新TripleDESCryptoServiceProvider();三重Des.Key = _DecryptionKey;三重Des.IV = 新字节[8];MemoryStream mStreamEnc = new MemoryStream();CryptoStream cryptoStream = new CryptoStream(mStreamEnc,三重Des.CreateEncryptor(),CryptoStreamMode.Write);cryptoStream.Write(uePassword, 0, uePassword.Length);cryptoStream.FlushFinalBlock();RetVal = mStreamEnc.ToArray();cryptoStream.Close();休息;}返回 RetVal；}私有字符串 GetHumanReadablePassword(byte[] StoredPassword){System.Text.UnicodeEncoding ue = new System.Text.UnicodeEncoding();字符串 RetVal = null;开关(_PasswordFormat){案例 MembershipPasswordFormat.Clear:RetVal = ue.GetString(StoredPassword);休息;案例 MembershipPasswordFormat.Hashed:抛出新的应用程序异常("无法从散列格式中恢复密码");案例 MembershipPasswordFormat.Encrypted:TripleDESCryptoServiceProvidertripleDes =新的 TripleDESCryptoServiceProvider();三重Des.Key = _DecryptionKey;三重Des.IV = 新字节[8];加密流加密流 =新的加密流(新的内存流(存储密码)，三重Des.CreateDecryptor(), CryptoStreamMode.Read);MemoryStream msPasswordDec = new MemoryStream();int BytesRead = 0;字节[]缓冲区=新字节[32]；while ((BytesRead = cryptoStream.Read(Buffer, 0, 32)) > 0){msPasswordDec.Write(Buffer, 0, BytesRead);}cryptoStream.Close();RetVal = ue.GetString(msPasswordDec.ToArray());msPasswordDec.Close();休息;}返回 RetVal；}http://msdn.microsoft.com/en-us/library/aa479048.aspxWhat is default hash algorithm that ASP.NET membership uses? And how can I change it? 解决方案 EDIT: Do not use the Membership Provider as-is because it is horridly inadequate in terms of protecting user's passwordsIn light of the fact that googling "membership provider hashing algorithm" turns up this answer as the first result, and the gospel that will be inferred, it behoves me to warn folks about using the Membership Provider like this and using hashes like SHA-1, MD5 etc to obfuscate passwords in databases.tl;drUse a key-derivation function like bcrypt, scrypt or (if you need FIPS compliance) PBKDF2 with a work factor sufficient to necessitate the hashing time for a single password to be as close to 1000ms or more.Hashes are easy to brute force these days with ample examples of data breaches in recent history. To prevent your user's passwords from ending up on pastebin in the next hack, ensure that passwords are hashed with a function that takes a sufficiently long time to compute!Instead of Membership Provider, try IdentityReboot or the newer implementations from Microsoft that Troy Hunt talks about at the least.It's also interesting that on the same google results mentioned above I find a tutorial showing folks preciously how easy it is to brute force these password hashes using popular tools like JtR or Hashcat. On a custom GPU rig, SHA1 can be cracked at a staggering rate of 48867 million hashes per second! With a free dictionary like rockyou or the like, a motivated person with your database will very quickly have most of your users passwords. As a developer, it's your ethical responsibility to do what is necessary to protect the security of your users' passwords.The default hashing is SHA1 but they also salt it and base64 it:public string EncodePassword(string pass, string salt){ byte[] bytes = Encoding.Unicode.GetBytes(pass); byte[] src = Encoding.Unicode.GetBytes(salt); byte[] dst = new byte[src.Length + bytes.Length]; Buffer.BlockCopy(src, 0, dst, 0, src.Length); Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length); HashAlgorithm algorithm = HashAlgorithm.Create("SHA1"); byte[] inArray = algorithm.ComputeHash(dst); return Convert.ToBase64String(inArray);}If you want to know more about how to change it I still need to find out (unless using custom provider see below) however SHA-1 is pretty good for now. If you are looking to reverse it or lookup from this these guys did some work on that: http://forums.asp.net/p/1336657/2899172.aspxThis SO question will help in reversing or duplicating this technique if that is what might be needed. Reimplement ASP.NET Membership and User Password Hashing in RubyIf you are making a custom provider you can create your hashing and encryption algorithms and methods.private byte[] ConvertPasswordForStorage(string Password) { System.Text.UnicodeEncoding ue = new System.Text.UnicodeEncoding(); byte[] uePassword = ue.GetBytes(Password); byte[] RetVal = null; switch (_PasswordFormat) { case MembershipPasswordFormat.Clear: RetVal = uePassword; break; case MembershipPasswordFormat.Hashed: HMACSHA1 SHA1KeyedHasher = new HMACSHA1(); SHA1KeyedHasher.Key = _ValidationKey; RetVal = SHA1KeyedHasher.ComputeHash(uePassword); break; case MembershipPasswordFormat.Encrypted: TripleDESCryptoServiceProvider tripleDes = new TripleDESCryptoServiceProvider(); tripleDes.Key = _DecryptionKey; tripleDes.IV = new byte[8]; MemoryStream mStreamEnc = new MemoryStream(); CryptoStream cryptoStream = new CryptoStream(mStreamEnc, tripleDes.CreateEncryptor(), CryptoStreamMode.Write); cryptoStream.Write(uePassword, 0, uePassword.Length); cryptoStream.FlushFinalBlock(); RetVal = mStreamEnc.ToArray(); cryptoStream.Close(); break; } return RetVal; }private string GetHumanReadablePassword(byte[] StoredPassword) { System.Text.UnicodeEncoding ue = new System.Text.UnicodeEncoding(); string RetVal = null; switch (_PasswordFormat) { case MembershipPasswordFormat.Clear: RetVal = ue.GetString(StoredPassword); break; case MembershipPasswordFormat.Hashed: throw new ApplicationException( "Password cannot be recovered from a hashed format"); case MembershipPasswordFormat.Encrypted: TripleDESCryptoServiceProvider tripleDes = new TripleDESCryptoServiceProvider(); tripleDes.Key = _DecryptionKey; tripleDes.IV = new byte[8]; CryptoStream cryptoStream = new CryptoStream(new MemoryStream(StoredPassword), tripleDes.CreateDecryptor(), CryptoStreamMode.Read); MemoryStream msPasswordDec = new MemoryStream(); int BytesRead = 0; byte[] Buffer = new byte[32]; while ((BytesRead = cryptoStream.Read(Buffer, 0, 32)) > 0) { msPasswordDec.Write(Buffer, 0, BytesRead); } cryptoStream.Close(); RetVal = ue.GetString(msPasswordDec.ToArray()); msPasswordDec.Close(); break; } return RetVal; }http://msdn.microsoft.com/en-us/library/aa479048.aspx 这篇关于ASP.NET 成员资格使用的默认哈希算法是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！ 上岸，阿里云！