1

Is there a way to use the same hashing algorithm that SimpleMembership uses for password to hash a clear-text password without actually setting or changing a password? I just want the hashed version of the password for comparison.

I am building a new site using MVC 4, and have opted to use the SimpleMembershipProvider to handle most account related data. One requirement I have is to keep a password history. I do not need to be able to retrieve the actual passwords, so one-way hashing is fine.

I have come up with a solution that keeps a separate table of passwords using a separate one-way hashing algorithm, but it seems rather clunky to me. It would be far cleaner if I could take the new password, use the SimpleMembership's algorithm to hash it, compare that to my stored passwords, and then only change it if it is valid. This would also help when I go to migrate our passwords from the old site.

Right now the only way I can find to generate the hashed version of the password is by changing the password, and then reading the hashed version from SQL.

4

1 回答 1

3

SimpleMembershipProvider.SetPasswordprivate方法),使用System.Web.Helpers.Crypto.HashPassword,所以你可以用它来散列密码。它还为您处理盐,它包含在返回值中。

反过来,该方法只返回一个 RFC 2898 哈希,因此您也可以使用System.Security.Cryptography.Rfc2898DeriveBytesHashPassword方法使用的 .security.cryptography.rfc2898derivebytes.aspx,但是您需要担心盐渍。

使用该HashPassword方法应该可以完美地满足您的安全要求;当我被要求强制执行要求时,我使用它,例如新密码不匹配最后 5 个中的任何一个(无论这是否是一个好的安全要求,它都有效)。您将需要Crypto.VerifyHashedPassword方法来查看输入的密码是否与任何历史密码匹配,因为这也会为您处理盐分。

于 2013-08-24T11:10:43.870 回答