I am making a C#.NET application wherein I have designed an Administrator account. Now to Login in that account the Administrator has to enter the password.
我正在制作一个C#.NET应用程序,其中我设计了一个管理员帐户。现在要登录该帐户,管理员必须输入密码。
My Question is : How do I save that password?
我的问题是:如何保存该密码?
Possible options :
可能的选择:
-
Global variable (Obviously incorrect because it will be reset to its default value everytime I run the application)
全局变量(显然不正确,因为每次运行应用程序时它都会重置为默认值)
-
Database Relation (Feasible but it serves to be a scalar relation only....)
数据库关系(可行,但它只是一个标量关系....)
I don't want to store it in a scalar relation because I think it is stupid to use a relation for only one entry and one column!
我不想将它存储在标量关系中,因为我认为仅使用一个条目和一个列的关系是愚蠢的!
Is there any other optimum way to store the password?
是否有其他最佳方式来存储密码?
5 个解决方案
#1
8
You can store it salted and hashed in a user settings file.
您可以将其存储在用户设置文件中并进行哈希处理。
You can access the default settings file using something like:
您可以使用以下内容访问默认设置文件:
private bool CheckPassword(string salt, string password)
{
var hash = Encoding.ASCII.GetBytes(salt + password);
var sha1 = new SHA1CryptoServiceProvider();
var sha1hash = sha1.ComputeHash(hash);
var hashedPassword = ASCIIEncoding.GetString(sha1hash);
return (Properties.Settings.Default.adminPass == hashedPassword);
}
#2
5
For security reasons I would recommend you to store only the hash of the password and never the clear text password. You could store it in any persistent media you find it convenient: file registry, database, ...
出于安全考虑,我建议您只存储密码的哈希值,而不是明文密码。您可以将它存储在您觉得方便的任何持久性媒体中:文件注册表,数据库,......
#3
3
Do you have a database in your system already ? Then just put it there. You will probably have a users table, that can be extended to accomodate the password (?) If not, you could store it in a file.
你的系统中是否有数据库?然后就把它放在那里。你可能会有一个用户表,可以扩展以容纳密码(?)如果没有,你可以将它存储在一个文件中。
What really matters, is that you should not store the password in plain text. It is bad security practice. You should one-way hash it using a good hashing algorithm (such as SHA512), preferably using a salt.
真正重要的是,您不应该以纯文本格式存储密码。这是不好的安全措施。您应该使用良好的散列算法(例如SHA512)对其进行单向散列,最好使用salt。
#4
3
Assuming this is to persist the user's credentials on the server: store a hash of the password in the database. Ideally, you should compute and store something like SALT + sha1(SALT + password) where SALT is some random string computed for each password stored.
假设这是在服务器上保留用户的凭据:在数据库中存储密码的哈希值。理想情况下,您应该计算和存储类似SALT + sha1(SALT +密码)的内容,其中SALT是为存储的每个密码计算的随机字符串。
#5
1
In addition to what everyone has been saying about not storing a plaintext password, you shouldn't work with a plaintext password in a string (for example, when getting the value from a text box).
除了每个人都在谈论不存储明文密码的内容之外,您不应该使用字符串中的明文密码(例如,从文本框中获取值时)。
This is because strings can remain in memory for an unknown, uncontrolled length of time.
这是因为字符串可以在未知的,不受控制的时间长度内保留在内存中。
They should be stored using SecureString.
它们应该使用SecureString存储。
In the way of explanation:
在解释方式:
An instance of the System.String class is both immutable and, when no longer needed, cannot be programmatically scheduled for garbage collection; that is, the instance is read-only after it is created and it is not possible to predict when the instance will be deleted from computer memory. Consequently, if a String object contains sensitive information such as a password, credit card number, or personal data, there is a risk the information could be revealed after it is used because your application cannot delete the data from computer memory.
System.String类的一个实例都是不可变的,当不再需要时,不能以编程方式安排垃圾收集;也就是说,实例在创建后是只读的,并且无法预测何时将从计算机内存中删除实例。因此,如果String对象包含敏感信息(如密码,信用卡号或个人数据),则使用该信息后可能会显示该信息,因为您的应用程序无法从计算机内存中删除该数据。
#1
8
You can store it salted and hashed in a user settings file.
您可以将其存储在用户设置文件中并进行哈希处理。
You can access the default settings file using something like:
您可以使用以下内容访问默认设置文件:
private bool CheckPassword(string salt, string password)
{
var hash = Encoding.ASCII.GetBytes(salt + password);
var sha1 = new SHA1CryptoServiceProvider();
var sha1hash = sha1.ComputeHash(hash);
var hashedPassword = ASCIIEncoding.GetString(sha1hash);
return (Properties.Settings.Default.adminPass == hashedPassword);
}
#2
5
For security reasons I would recommend you to store only the hash of the password and never the clear text password. You could store it in any persistent media you find it convenient: file registry, database, ...
出于安全考虑,我建议您只存储密码的哈希值,而不是明文密码。您可以将它存储在您觉得方便的任何持久性媒体中:文件注册表,数据库,......
#3
3
Do you have a database in your system already ? Then just put it there. You will probably have a users table, that can be extended to accomodate the password (?) If not, you could store it in a file.
你的系统中是否有数据库?然后就把它放在那里。你可能会有一个用户表,可以扩展以容纳密码(?)如果没有,你可以将它存储在一个文件中。
What really matters, is that you should not store the password in plain text. It is bad security practice. You should one-way hash it using a good hashing algorithm (such as SHA512), preferably using a salt.
真正重要的是,您不应该以纯文本格式存储密码。这是不好的安全措施。您应该使用良好的散列算法(例如SHA512)对其进行单向散列,最好使用salt。
#4
3
Assuming this is to persist the user's credentials on the server: store a hash of the password in the database. Ideally, you should compute and store something like SALT + sha1(SALT + password) where SALT is some random string computed for each password stored.
假设这是在服务器上保留用户的凭据:在数据库中存储密码的哈希值。理想情况下,您应该计算和存储类似SALT + sha1(SALT +密码)的内容,其中SALT是为存储的每个密码计算的随机字符串。
#5
1
In addition to what everyone has been saying about not storing a plaintext password, you shouldn't work with a plaintext password in a string (for example, when getting the value from a text box).
除了每个人都在谈论不存储明文密码的内容之外,您不应该使用字符串中的明文密码(例如,从文本框中获取值时)。
This is because strings can remain in memory for an unknown, uncontrolled length of time.
这是因为字符串可以在未知的,不受控制的时间长度内保留在内存中。
They should be stored using SecureString.
它们应该使用SecureString存储。
In the way of explanation:
在解释方式:
An instance of the System.String class is both immutable and, when no longer needed, cannot be programmatically scheduled for garbage collection; that is, the instance is read-only after it is created and it is not possible to predict when the instance will be deleted from computer memory. Consequently, if a String object contains sensitive information such as a password, credit card number, or personal data, there is a risk the information could be revealed after it is used because your application cannot delete the data from computer memory.
System.String类的一个实例都是不可变的,当不再需要时,不能以编程方式安排垃圾收集;也就是说,实例在创建后是只读的,并且无法预测何时将从计算机内存中删除实例。因此,如果String对象包含敏感信息(如密码,信用卡号或个人数据),则使用该信息后可能会显示该信息,因为您的应用程序无法从计算机内存中删除该数据。