发表新帖
发表新帖

Convert ASP.NET Membership Passwords from Encrypted to Hashed

后端 未结
关注
3 1452
轮回少年
轮回少年 2021-01-21 15:26

I\'ve developed a website that uses ASP.NET membership. Based on comments from previous sites, I decided to encrypt passwords so they could be recovered for users who forgot the

相关标签:
3条回答
  • 暖寄归人
    2021-01-21 15:41

    IMHO, Greg's response (and the associated comments) on your previous question (Changing passwordFormat from Encrypted to Hashed) is the way to go. Essentially, you want to:

    1. Add a hashed membership provider
    2. Loop through all of the encrypted password users,
    3. For each one decrypt the password, create the hash, store it, delete the encrypted version from the database, and move on.

    When you are done, all of the encrypted password users should be converted to hashed.

    0 讨论(0)
  • 遇见更好的自我
    2021-01-21 15:50

    Maybe I'm missing something here, but it should be pretty simple. Create a process to decrypt the password, then salt accordingly and store the hash of the salt + user's decrypted password in the database. Obviously you don't want to be hashing the user's encrypted password. Don't forget to store the salt too.

    0 讨论(0)
  • 别跟我提以往
    2021-01-21 15:52

    it seems you already know how to decrypt the passwords and change the web.config file, but you're stuck with how to implement the rest of the process.

    using ILSpy, here's how to generate the salt for each user:

    byte[] array = new byte[16];
new RNGCryptoServiceProvider().GetBytes(array);
return Convert.ToBase64String(array);

    once you have the salt, here's how to generate the password:

    byte[] bytes = Encoding.Unicode.GetBytes(pass);
byte[] array = Convert.FromBase64String(salt);
byte[] array2 = new byte[array.Length + bytes.Length];
Buffer.BlockCopy(array, 0, array2, 0, array.Length);
Buffer.BlockCopy(bytes, 0, array2, array.Length, bytes.Length);   
using (SHA1CryptoServiceProvider sha1 = new SHA1CryptoServiceProvider()) {
  return Convert.ToBase64String(sha1.ComputeHash(array2));
}

    where pass is the plain-text password you calculated, and salt is the string calculated in the first code snippet above. the default algorithm is SHA1, if you're wondering why it's being used.

    since this is a one-time process, i would write a HTTP handler to manually update the database during a short, scheduled maintenance period - hopefully you have that luxury. (obviously make a backup and test first). you need to update the following fields in the aspnet_Membership table:

    1. Password - calculated above
    2. PasswordFormat - 1
    3. PasswordSalt - calculated above

    never had to do anything like this, but hopefully that will get you started :)

    0 讨论(0)
 看不清?
提交回复
热议问题