开发者

Membership Provider EncodePassword Method .NET 4.0

I am writing my own Custom Membership Provider but am using the Membership Providers own EncodePassword method which is shown below:

internal string EncodePassword(string pass, int passwordFormat, string salt)

{
if (passwordFormat == 0) // MembershipPasswordFormat.Clear
    return pass;

byte[] bIn = Encoding.Unicode.GetBytes(pass);
byte[] bSalt = Convert.FromBase64String(salt);
byte[] bAll = new byte[bSalt.Length + bIn.Length];
byte[] bRet = null;

Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
if (passwordFormat == 1)
{ // MembershipPasswordFormat.Hashed
    HashAlgorithm s = HashAlgorithm.Create( Membership.HashAlgorithmType );
    bRet = s.ComputeHash(bAll);
} else
{
    bRet = EncryptPassword( bAll );
}

return Convert.ToBase64String(bRet);
}

I now know after hunting around for a number of hours that in .NET 4 the algorithm used is HMACSHA256. I understand that i need a key for the algorithm to work correctly.

My question is how do it do this?

Do i put the key in the config file and reference it in 开发者_开发技巧some way?

Any help would be appreciated!

Thanks.


Don't use SHA!. Go and download BCrypt.Net. SHA is too fast at hashing which makes anything encrypted with it easy to brute force. BCrypt is slower due to a configurable work factor, so whilst imperceptable to the user, when trying to brute force 700m keys a second, you simply can't.

Once you have bcrypt all you need to do to hash is:

private static readonly int BCRYPT_WORK_FACTOR = 10;
string hashedPassword = BCrypt.Net.BCrypt.HashPassword(account.HashedPassword, BCRYPT_WORK_FACTOR);

and to check a password:

bool matched = BCrypt.Net.BCrypt.Verify(password, match.HashedPassword))

I have written this up in a bit more depth here http://www.danharman.net/2011/06/25/encrypting-hashing-passwords-for-your-website/

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜