我对密码学很陌生,想要了解哈希算法.
我有以下来源创建一个密码的哈希版本,可以存储在我的数据库中.
public static string hashPasswordGenerator(string password)
{
System.Security.Cryptography.SHA256Managed crypt = new System.Security.Cryptography.SHA256Managed();
StringBuilder hash = new StringBuilder();
byte[] cry = crypt.ComputeHash(Encoding.UTF8.GetBytes(password), 0, Encoding.UTF8.GetByteCount(password));
return Convert.ToBase64String(cry);
}
我的示例用户是User1,密码为Password1,返回散列版本的GVE / 3J2k 3KkoF62aRdUjTyQ / 5TVQZ4fI2PuqJ3 4d0 =
我的问题是:
- Is this secure?
- Should I add a salt to this? If so can someone show
me a simple example as I do not really understand how the salt it
generated so that it will match the password every time?- If someone has this hashPasswordGenerator method could they reverse engineer my password?
提前致谢.
解决方法:
Is this secure?
如果你只是在没有盐的情况下使用SHA2,那不是真的. (不是说SHA2可以很容易地反转)
Should I add a salt to this?
是.
If so can someone show me a simple example
RNGCryptoServiceProvider rngCsp = new RNGCryptoServiceProvider();
var salt = new byte[32];
rngCsp.GetBytes(salt); // this will fill the buffer with random values
as I do not really understand how the salt it generated so that it will match the password every time
您必须保存盐(每个密码必须是唯一的)以及散列(密码盐).
If someone has this
hashPasswordGenerator
method could they reverse engineer my password?
是的,如果它是字典密码,如果你不使用盐.否则(在可预见的将来),因为哈希应该很难逆转.
BTW而不是试图重新发明*你应该考虑使用PBKDF2来进行密码散列需求,因为它有一个可以减缓强力攻击(迭代次数)的工作因素.