I was going to write an article about how to implement the user login function, but due to limited time, I would like to introduce the hash of passwords and ASP. NET Membership.
1. Add Salt hash
We know that, if passwords are hashed directly, hackers collectively refer to those who have the ability to steal user data and attempt to obtain user passwords.) They can hash a known password, then, the user's password is hashed out. In other words, although a hacker cannot obtain the password of a specific user, he can know which users use the password.
Add Salt can solve this problem to some extent. The so-called addition of Salt is to add some "condiments ". The basic idea is this: when a user provides a password for the first time, it is often registered.) The system automatically adds "condiments" to the password and then hashes it. When a user logs on, the Code provided by the system for the user is sprinkled with the same "seasoning", and then hash, and then compare the hash value. It is determined that the password is correct.
The "seasoning" here is called the "Salt value", which is randomly generated by the system and only known by the system. In this way, even if two users use the same password, their hash values are different because the system generates different salt values for them. Even if hackers can use their own passwords and their own hash values to find users with specific passwords, the probability is too small, and the password and salt values must be the same as those used by hackers ).
The following describes the process of adding a Salt hash. I would like to emphasize one point before the introduction. As mentioned above, the "same" seasoning should be used when the password is verified and the original hash password is used. Therefore, the Salt value is stored in the database.
2. Related code in ASP. NET Membership
Omit several words about Membership)
In this article, Anders Liu only studies SqlMembershipProvider, which is located in the namespace of System. Web. dll and System. Web. Security.
First, use the membership, command to configure the database with the aspnet_regsql.exe command. This tool adds a series of tables and stored procedures to the existing database. The configured database has a table aspnet_Membership, which is used to store user account information. Here, we are concerned with three columns: Password, PasswordFormat, and PasswordSalt.
Password stores the hash value of the Password, and PasswordFormat stores the algorithm used for the hash Password. PasswordSalt is the Salt value generated by the system.
3. Summary
This article only briefly introduces how to add the Salt hash, rather than the principle), ASP. NET Membership implementation. Although you cannot "understand the principle and principles of adding Salt encryption," I believe you should have a general understanding of how to use this method, you can also modify the Membership code to store your own passwords in a hash.
Due to limited time, Anders Liu wrote a lot of articles, listing a lot of code without systematic introduction. I hope you can forgive me. In the next article, I will introduce how to achieve user Login without using MembershipProvider, but also the convenience provided by Login and other controls ).
- Analysis of Theme functions in ASP. NET development skills
- ASP. NET Dynamic Compilation
- Analysis on ASP. NET supported by Apache
- Introduction to ASP. NET Server standard controls
- Analysis on SQL Server Database Backup Recovery in ASP. NET