问题描述
我有这个课程来代表我的用户:
I have this class to represent my users:
public class User
{
public int ID {get; set;}
public string UserName {get; set;}
[DataType(DataType.Password)]
public string Password {get; set;}
}
我的register方法的简化版本如下:
A simplistic version of my register method looks like this:
[HttpPost]
Register(User newUser)
{
...
_context.add(newUser);
await _context.SaveChangesAsync();
...
}
所以我的问题是:在存储之前,我应该从常规字符串中更改密码类型吗?如果是这样,什么数据类型?
So my question is: Should I alter the password type from a regular string before storing? If so, to what data type?
推荐答案
是是是
尽管其中大部分是安全性讨论,而不是编程性讨论,但您只应存储安全哈希(PBKDF2,Argon和Bcrypt是当前标准)以及用于该哈希的唯一盐即可.
While much of this is a security discussion rather than a programming one, you should only be storing a secure hash (PBKDF2, Argon, and Bcrypt are current standards) along with a unique salt used for that hash.
按原样存储它只是在要求某人窃取您的数据库并获取所有用户密码,而无需读取Password
列(他们可能在其他一百万个地方重复使用了这些内容).
Storing it as you are is just asking someone to steal your database and get all your users passwords without any more effort than reading the Password
column (which they probably reused a million other places).
尽管可以将其存储为string
.
DataType.Password
只是类的使用者阅读的注释. (每个 https://msdn.microsoft.com/zh-CN/library/system.componentmodel.dataannotations.datatype(v=vs.110).aspx ).从存储/数据库的角度来看,它不增强安全性.
The DataType.Password
is just an annotation for consumers of your class to read. (per https://msdn.microsoft.com/en-us/library/system.componentmodel.dataannotations.datatype(v=vs.110).aspx). It does not enhance security from a storage/database perspective.
这篇关于首先使用ef核心代码将密码存储在sql服务器数据库中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!