storing passwords in sql server database using ef core code first

后端 未结 2 1538
情歌与酒
情歌与酒 2021-01-22 21:01

I have this class to represent my users:

public class User
{
    public int ID {get; set;}
    public string UserName {get; set;}
    [DataType(DataType.Password         


        
相关标签:
2条回答
  • YES YES YES

    Never store passwords as plain text

    While much of this is a security discussion rather than a programming one, you should only be storing a secure hash (PBKDF2, Argon, and Bcrypt are current standards) along with a unique salt used for that hash.

    Storing it as you are is just asking someone to steal your database and get all your users passwords without any more effort than reading the Password column (which they probably reused a million other places).

    Its still OK to store it as string though.

    The DataType.Password is just an annotation for consumers of your class to read. (per https://msdn.microsoft.com/en-us/library/system.componentmodel.dataannotations.datatype(v=vs.110).aspx). It does not enhance security from a storage/database perspective.

    0 讨论(0)
  • 2021-01-22 21:37

    You should never store a password in the database if you can avoid it. Best practice is to store a salted, irreversible hash of the password.

    Typically this would be a SHA2 or PBKDF2, or whatever of the password salted with something that cannot change about the user-- e.g. the ID of the record.

    You would store the has typically as a varbinary(32) or whatever length your hash algorithm uses.

    This approach means that you cannot determine a user's password, since it is irreversible. To test a password of someone attempting to login, perform the same hash with the same salt, and test if the result is the same as what you have in your database. This way, a hacker who gets your database cannot figure out what each user's password is, but you can still test if a user knows their own password.

    0 讨论(0)
自定义标题
段落格式
字体
字号
代码语言
提交回复
热议问题