如何在C#.NET中保存密码?

时间:2022-09-02 15:46:45

I am making a C#.NET application wherein I have designed an Administrator account. Now to Login in that account the Administrator has to enter the password.

我正在制作一个C#.NET应用程序,其中我设计了一个管理员帐户。现在要登录该帐户,管理员必须输入密码。

My Question is : How do I save that password?

我的问题是:如何保存该密码?

Possible options :

可能的选择:

  1. Global variable (Obviously incorrect because it will be reset to its default value everytime I run the application)

    全局变量(显然不正确,因为每次运行应用程序时它都会重置为默认值)

  2. Database Relation (Feasible but it serves to be a scalar relation only....)

    数据库关系(可行,但它只是一个标量关系....)

I don't want to store it in a scalar relation because I think it is stupid to use a relation for only one entry and one column!

我不想将它存储在标量关系中,因为我认为仅使用一个条目和一个列的关系是愚蠢的!

Is there any other optimum way to store the password?

是否有其他最佳方式来存储密码?

5 个解决方案

#1


8  

You can store it salted and hashed in a user settings file.

您可以将其存储在用户设置文件中并进行哈希处理。

You can access the default settings file using something like:

您可以使用以下内容访问默认设置文件:

private bool CheckPassword(string salt, string password) 
{
   var hash = Encoding.ASCII.GetBytes(salt + password);
   var sha1 = new SHA1CryptoServiceProvider();
   var sha1hash = sha1.ComputeHash(hash);
   var hashedPassword = ASCIIEncoding.GetString(sha1hash);

   return (Properties.Settings.Default.adminPass == hashedPassword);
}

#2


5  

For security reasons I would recommend you to store only the hash of the password and never the clear text password. You could store it in any persistent media you find it convenient: file registry, database, ...

出于安全考虑,我建议您只存储密码的哈希值,而不是明文密码。您可以将它存储在您觉得方便的任何持久性媒体中:文件注册表,数据库,......

#3


3  

Do you have a database in your system already ? Then just put it there. You will probably have a users table, that can be extended to accomodate the password (?) If not, you could store it in a file.

你的系统中是否有数据库?然后就把它放在那里。你可能会有一个用户表,可以扩展以容纳密码(?)如果没有,你可以将它存储在一个文件中。

What really matters, is that you should not store the password in plain text. It is bad security practice. You should one-way hash it using a good hashing algorithm (such as SHA512), preferably using a salt.

真正重要的是,您不应该以纯文本格式存储密码。这是不好的安全措施。您应该使用良好的散列算法(例如SHA512)对其进行单向散列,最好使用salt。

#4


3  

Assuming this is to persist the user's credentials on the server: store a hash of the password in the database. Ideally, you should compute and store something like SALT + sha1(SALT + password) where SALT is some random string computed for each password stored.

假设这是在服务器上保留用户的凭据:在数据库中存储密码的哈希值。理想情况下,您应该计算和存储类似SALT + sha1(SALT +密码)的内容,其中SALT是为存储的每个密码计算的随机字符串。

#5


1  

In addition to what everyone has been saying about not storing a plaintext password, you shouldn't work with a plaintext password in a string (for example, when getting the value from a text box).

除了每个人都在谈论不存储明文密码的内容之外,您不应该使用字符串中的明文密码(例如,从文本框中获取值时)。

This is because strings can remain in memory for an unknown, uncontrolled length of time.

这是因为字符串可以在未知的,不受控制的时间长度内保留在内存中。

They should be stored using SecureString.

它们应该使用SecureString存储。

In the way of explanation:

在解释方式:

An instance of the System.String class is both immutable and, when no longer needed, cannot be programmatically scheduled for garbage collection; that is, the instance is read-only after it is created and it is not possible to predict when the instance will be deleted from computer memory. Consequently, if a String object contains sensitive information such as a password, credit card number, or personal data, there is a risk the information could be revealed after it is used because your application cannot delete the data from computer memory.

System.String类的一个实例都是不可变的,当不再需要时,不能以编程方式安排垃圾收集;也就是说,实例在创建后是只读的,并且无法预测何时将从计算机内存中删除实例。因此,如果String对象包含敏感信息(如密码,信用卡号或个人数据),则使用该信息后可能会显示该信息,因为您的应用程序无法从计算机内存中删除该数据。

#1


8  

You can store it salted and hashed in a user settings file.

您可以将其存储在用户设置文件中并进行哈希处理。

You can access the default settings file using something like:

您可以使用以下内容访问默认设置文件:

private bool CheckPassword(string salt, string password) 
{
   var hash = Encoding.ASCII.GetBytes(salt + password);
   var sha1 = new SHA1CryptoServiceProvider();
   var sha1hash = sha1.ComputeHash(hash);
   var hashedPassword = ASCIIEncoding.GetString(sha1hash);

   return (Properties.Settings.Default.adminPass == hashedPassword);
}

#2


5  

For security reasons I would recommend you to store only the hash of the password and never the clear text password. You could store it in any persistent media you find it convenient: file registry, database, ...

出于安全考虑,我建议您只存储密码的哈希值,而不是明文密码。您可以将它存储在您觉得方便的任何持久性媒体中:文件注册表,数据库,......

#3


3  

Do you have a database in your system already ? Then just put it there. You will probably have a users table, that can be extended to accomodate the password (?) If not, you could store it in a file.

你的系统中是否有数据库?然后就把它放在那里。你可能会有一个用户表,可以扩展以容纳密码(?)如果没有,你可以将它存储在一个文件中。

What really matters, is that you should not store the password in plain text. It is bad security practice. You should one-way hash it using a good hashing algorithm (such as SHA512), preferably using a salt.

真正重要的是,您不应该以纯文本格式存储密码。这是不好的安全措施。您应该使用良好的散列算法(例如SHA512)对其进行单向散列,最好使用salt。

#4


3  

Assuming this is to persist the user's credentials on the server: store a hash of the password in the database. Ideally, you should compute and store something like SALT + sha1(SALT + password) where SALT is some random string computed for each password stored.

假设这是在服务器上保留用户的凭据:在数据库中存储密码的哈希值。理想情况下,您应该计算和存储类似SALT + sha1(SALT +密码)的内容,其中SALT是为存储的每个密码计算的随机字符串。

#5


1  

In addition to what everyone has been saying about not storing a plaintext password, you shouldn't work with a plaintext password in a string (for example, when getting the value from a text box).

除了每个人都在谈论不存储明文密码的内容之外,您不应该使用字符串中的明文密码(例如,从文本框中获取值时)。

This is because strings can remain in memory for an unknown, uncontrolled length of time.

这是因为字符串可以在未知的,不受控制的时间长度内保留在内存中。

They should be stored using SecureString.

它们应该使用SecureString存储。

In the way of explanation:

在解释方式:

An instance of the System.String class is both immutable and, when no longer needed, cannot be programmatically scheduled for garbage collection; that is, the instance is read-only after it is created and it is not possible to predict when the instance will be deleted from computer memory. Consequently, if a String object contains sensitive information such as a password, credit card number, or personal data, there is a risk the information could be revealed after it is used because your application cannot delete the data from computer memory.

System.String类的一个实例都是不可变的,当不再需要时,不能以编程方式安排垃圾收集;也就是说,实例在创建后是只读的,并且无法预测何时将从计算机内存中删除实例。因此,如果String对象包含敏感信息(如密码,信用卡号或个人数据),则使用该信息后可能会显示该信息,因为您的应用程序无法从计算机内存中删除该数据。