使用SimpleMembershipProvider时使用salt

Question

可能重复:
WebMatrix WebSecurity PasswordSalt

有没有办法让simpleMembershipProvider使用盐？

当我创建我的mvc4 web项目并将默认连接设置为sqlexpress,然后注册,我的用户没有密码盐

我希望它尽可能安全,没有太多麻烦.

Answer 1

PasswordSalt列未使用,但在创建存储在"密码"字段中的散列密码时使用了salting.如果你看一下SimpleMembershipProvider的源代码,你可以看到这个:http://aspnetwebstack.codeplex.com/SourceControl/changeset/view/3a669e7112e7#src%2fWebMatrix.WebData%2fSimpleMembershipProvider.cs

检查CreateUserAndAccount方法.它使用Crypto.HashPassword方法:

    /* =======================
     * HASHED PASSWORD FORMATS
     * =======================
     * 
     * Version 0:
     * PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.
     * (See also: SDL crypto guidelines v5.1, Part III)
     * Format: { 0x00, salt, subkey }
     */

    public static string HashPassword(string password)
    {
        if (password == null)
        {
            throw new ArgumentNullException("password");
        }

        // Produce a version 0 (see comment above) password hash.
        byte[] salt;
        byte[] subkey;
        using (var deriveBytes = new Rfc2898DeriveBytes(password, SaltSize, PBKDF2IterCount))
        {
            salt = deriveBytes.Salt;
            subkey = deriveBytes.GetBytes(PBKDF2SubkeyLength);
        }

        byte[] outputBytes = new byte[1 + SaltSize + PBKDF2SubkeyLength];
        Buffer.BlockCopy(salt, 0, outputBytes, 1, SaltSize);
        Buffer.BlockCopy(subkey, 0, outputBytes, 1 + SaltSize, PBKDF2SubkeyLength);
        return Convert.ToBase64String(outputBytes);
    }

基本上是为了解决您的问题,它就像它需要的那样安全,而不必担心任何其他问题.