1

嗨,我想我可能做错了,任何人都可以帮助解释你如何散列/加盐密码。您是从客户端还是从 Web 服务执行此操作?

我有一个具有密码数据成员的数据合同,在我的服务中,我这样做是为了在保存密码之前创建密码的哈希/盐:

  So here is the process in which I was thinking.

Rest Service has https for secure connection
User creates account (along with password)
//to stop packet sniffing when user creates account https is used during POST so no one can see the password? 
web service then creates a hash of the password to store it
//so if anyone did get access to the service/database they couldnt make much use of the data in terms of breaching accounts
Then some means to authenticate that user there after

它是否正确?

4

1 回答 1

2

听起来你在正确的轨道上。客户端永远不应该与盐值一起散列,因为攻击者可以访问该代码。而且 https 确实会保护连接,不允许其他人读取数据。

在身份验证期间,您执行相同的操作:获取用户通过 https 输入的密码,对该值进行哈希/加盐,然后将结果哈希与数据库中的值进行比较。当然,如果您曾经Student向客户端返回一个对象,它不应该包含任何值。

Password不重用 的属性可能是明智的,Student因为现在您无法判断它是包含纯密码还是散列值。

于 2012-04-22T06:12:02.920 回答