Am I encrypting my passwords correctly in ASP.NET
I have a security class:
public class security
{
private static string createSalt(int size)
{
//Generate a random cryptographic number
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] b = new byte[size];
rng.GetBytes(b);
//Convert to Base64
return Convert.ToBase64String(b);
}
/// <summary>
/// Generate a hashed password for comparison or create a new one
/// </summary>
/// <param name="pwd">Users password</param>
/// <returns></returns>
public static string createPasswordHash(string pwd)
{
string salt = "(removed)";
string saltAndPwd = string.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(
saltAndPwd, "sha1");
return hashedPwd;
}
}
This works fine, but I am wondering if it is sufficient enough.
Also, is this next block of code better? Overkill?
static byte[] encrInitVector = new byte[] { 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF };
static string encrKey = "(removed)";
public static string EncryptString(string s)
{
byte[] key;
try
{
key = Encoding.UTF8.GetBytes(encrKey.Substring(0, 8));
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
byte[] inputByteArray = Encoding.UTF8.GetBytes(s);
MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, des.CreateEncryptor(key, encrInitVector), CryptoStreamMode.Write);
cs.Write(inputByteArray, 0, inputByteArray.Length);
cs.FlushFinalBlock();
return Convert.ToBase64String(ms.ToAr开发者_StackOverflow社区ray());
}
catch (Exception e)
{
throw e;
}
I would say the last is the best,, overkill is always good,, but just take a look at this image.
If your site is not a large shopping store or bank or something of that magnitude that you do need strong security then your first code if sufficient enough. (If you do have user security high then I would also recommend SSL.)
加载中,请稍侯......
精彩评论