asp.net keystore for password storage?

前端 未结 1 1080
再見小時候
再見小時候 2021-01-14 13:32

I know that encrypted passwords can be stored in the web.config or hashed and salted passwords can be stored in a database, but is it possible to store passwords in somethin

相关标签:
1条回答
  • 2021-01-14 14:21

    The closest analogue to a Java keystore in .NET/Windows world is DPAPI (http://en.wikipedia.org/wiki/Data_Protection_API). It stores encrypted values in the Windows registry, with the encryption key derived from system or user account level secrets.

    It is in fairly wide use, though a paper was released at the 2010 Black Hat DC Conference detailing a crack against it (Google Docs).

    Prior to that paper (and if MS fixes it at some point) I would highly recommend DPAPI for exactly what you are describing.

    At this point, using DPAPI is probably (and unfortunately) the best option. A mitigating factor is that the crack is highly technical, difficult to execute, and requires quite a bit of OS access to pull off. A breach of a DPAPI key is most likely to be pulled off by a trusted insider with access to the system, as opposed to an external attacker.

    0 讨论(0)
提交回复
热议问题