I have people submit a username and password for then in a clan and i need to know if it's safe to use this code to submit that into a database or if it's even safe in a database.
MySQLCon.Open()
Dim SQLADD As String = "INSERT INTO members(username,password) VALUES(@memberToAdd, @memberPassword)"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
COMMAND.Parameters.AddWithValue("@memberToAdd", memberToAdd.Text)
COMMAND.Parameters.AddWithValue("@memberPassword", membersPassword.Text)
COMMAND.ExecuteNonQuery()
MySQLCon.Close()
MySQLCon.Dispose()
I use Parameters to avoid SQL Injection Attacks.
----------------------------------------------------------------------------------
This was not a duplicate as it was in a different way of asking and storing the password. It was using MD5 for hashing a password.
答案 0 :(得分:10)
使用基本安全措施存储密码的过程非常简单:
如果他们输入了正确的密码,则哈希的PW将匹配。 Hashing可以保护用户免受攻击以及屏幕上显示members表的屏幕。
' salt size is 32 (0-31
Private Const SaltSize As Integer = 31
...
Dim dbPW As String = TextBox1.Text
Dim dbSalt = CreateNewSalt(SaltSize)
' eg: "dsEGWpJpwfAOvdRZyUo9rA=="
Dim SaltedPWHash As String = GetSaltedHash(dbPW, dbSalt)
' examples:
' using SHA256: bbKN8wYYgoZmNaG3IsQ2DPS2ZPIOnenl6i5NwUmrGmo=
' using SHA512:
' 0vqZWBIbOlyzL25l9iWk51CxxJTiEM6QUZEH1ph+/aNp+lk4Yf8NYv8RLhYtbqCNpOqO3y8BmM+0YWtbAhE+RA=="
将PW哈希和salt存储为用户记录的一部分。盐并不是秘密,但如果用户更改密码,则更改它。
' check if PW entered equals DB
Dim pwTry = TextBox2.Text
' hash the login attempt using the salt stored in the DB
Dim pwLogin = GetSaltedHash(pwTry, dbSalt)
' compare the hash of what they entered to whats in the DB:
If String.Compare(SaltedPWHash, pwLogin, False) = 0 Then
' okay!
Console.Beep()
End If
如果用户输入相同的PW,它应该产生相同的散列,就像那样简单。散列代码并不复杂:
Private Function GetSaltedHash(pw As String, salt As String) As String
Dim tmp As String = pw & salt
' or SHA512Managed
Using hash As HashAlgorithm = New SHA256Managed()
' convert pw+salt to bytes:
Dim saltyPW = Encoding.UTF8.GetBytes(tmp)
' hash the pw+salt bytes:
Dim hBytes = hash.ComputeHash(saltyPW)
' return a B64 string so it can be saved as text
Return Convert.ToBase64String(hBytes)
End Using
End Function
Private Function CreateNewSalt(size As Integer) As String
' use the crypto random number generator to create
' a new random salt
Using rng As New RNGCryptoServiceProvider
' dont allow very small salt
Dim data(If(size < 7, 7, size)) As Byte
' fill the array
rng.GetBytes(data)
' convert to B64 for saving as text
Return Convert.ToBase64String(data)
End Using
End Function
System.Guid.NewGuid.ToString)之类的东西很诱人,但使用加密随机数生成器并不是那么难。Shared / static班级成员的理想候选人。另请注意,由Kenneth链接的文章非常值得一读。
请注意,the article提及 The salt should be stored in the user account table alongside the hash 这并不意味着您必须在数据库中有Salt列。您可以在链接的文章中看到以下内容:
Dim dbPW As String = TextBox1.Text
Dim dbSalt = CreateNewSalt(SaltSize)
' get the salted PW hash
Dim SaltedPWHash As String = GetSaltedHash(dbPW, dbSalt)
' store salt with the hash:
SaltedPWHash = String.Format("{0}:{1}", dbSalt, dbPW)
' salt + ":" + hashed PW now ready to store in the db
从散列密码中分割盐:
Dim SaltAndPWHash = rdr.Item("PWHash").ToString()
Dim split = SaltAndPWHash.Split(":"c) ' split on ":"
Dim Salt = split(0) ' element(0) == salt
Dim StoredPWHash = split(1) ' element(1) == hashed PW
您需要这两个部分:在对PW中尝试的日志进行哈希处理后,将其与split(1)进行比较。
答案 1 :(得分:1)
不,您不应在数据库中存储明文密码。
原因是,如果您的数据库遭到入侵/被盗/入侵,则所有用户的密码都可供黑客使用。
您应该做的是以下内容: - 当用户注册时,将其用户名保存在数据库中,并附带散列版本的密码 - 当用户尝试登录时,从数据库中获取用户名,哈希他提供的密码并将其与数据库中的哈希密码进行比较。
哈希是一种将字符串转换为不同字符串的方法,在这种情况下,你只能采用一种方式(也就是说,相同的输入将始终生成相同的输出,但如果你只有输入,你就永远无法获得输入输出)。
要了解如何散列字符串,请阅读以下文章,其中包含不同语言的代码示例:https://crackstation.net/hashing-security.htm