开发者

Salting a password - are there better options than using a timestamp?

开发者 https://www.devze.com 2023-01-11 23:07 出处:网络
I\'m currently building a couple of ASP.NET MVC 2 sites, and am 开发者_开发技巧wondering what my options are for salting a password.With my PHP work, I usually just obtained the timestamp of when a us

I'm currently building a couple of ASP.NET MVC 2 sites, and am 开发者_开发技巧wondering what my options are for salting a password. With my PHP work, I usually just obtained the timestamp of when a user registered, then appended it to the end of their password string before using SHA1 to hash the entire thing. My instinct is that this approach may not be sufficient.

I'm pretty new to user administration with ASP.NET anyway, so I figure it would be in my best interest to get started with best practices from the beginning. I know that ASP.NET web forms have built-in user administration available, but am unsure about MVC.


The only point of a SALT is to prevent rainbow attacks, where multiple users have the same hash for their password, so reversing one password successfully means you also know it's the password for everybody else with the same hash. Even a single-digit salt will prevent that, since two users with the same password will have different hashes if they have different salts.

As long as the salt is something that won't change, and that is different for every user, any value will work well. Timestamp of their registration, provided you don't update that field (which would invalidate their password hash and prevent their login) is a fine choice.

0

精彩评论

暂无评论...
验证码 换一张
取 消