开发者

Storing password in database using hash with salt; not sure where/how to store salt

开发者 https://www.devze.com 2023-04-10 00:13 出处:网络
I have a ASP.NET (MVC 3) web site where user will be able to login to perform certain actions. I need to store their password in backend SQL Server 2008 database. I will be using form authentication (

I have a ASP.NET (MVC 3) web site where user will be able to login to perform certain actions. I need to store their password in backend SQL Server 2008 database. I will be using form authentication ( not windows authenti开发者_Go百科cation). I am just wondering what is the best way of storing the password in database. Reading some links like this, I am inclining towards using Hash with Salt but I am unclear on how to store the salt value? Should salt value be encrypted? Any one have other ideas, best practices, potential problem or key considerations before concluding with this approach?


Typically the salt is stored as part of the hash, sometimes as the first two bytes. It can be stored as a separate field if necessary, especially when the salt is longer. The salt does not need to be encrypted. You just store the salt+hash in a reasonably-secure (admin access only) location.

Don't ever store the actual password. You only need the salt and hash. When the user gives a password, you encrypt it using the stored salt for the user they claim to be, and if the result matches the stored hash, the password is correct.

A good article on the subject: http://www.obviex.com/samples/hash.aspx


A typical approach is to store the salt and the hash together, separated by some special character. This value is created by the authentication mechanism and can be passed to the authentication mechanism to verify, so that the application itself does not have to know that the value contains both a salt and a hash.

The salt is not stored encrypted.

0

精彩评论

暂无评论...
验证码 换一张
取 消