问题
I am developing a .net web api project and need to store usernames and passwords salted and hashed in a users table.
How would I authenticate the user if the username and password fields are random hashed in the users table and the salts are stored in the same row for the user? Am I missing something? It seems as if I would have no way to find the user to do a password comparison.
回答1:
They are not random hashed per se. They are hashed against the same key. As a result, to authenticate, you would need to repeat the hashing process for inputted credentials and compare that hash to the user's stored hash.
An additional option is to use the built in Membership providers to handle the authentication for you.
Your actual requirement of hashing both is actually a very difficult requirement to solve for. As you identified, you would have nothing to identify that user by. As a result, you would have to resort to using some sort data such as IP, user agent string, etc to make a best guess. However, this would be incredibly dangerous.
At the end of the day, usernames are for identifying who the user is, not authenticating that user. If you have security requirements to never display the username or otherwise protect the username, instead show them logged in with their first name or other identifier so that the username is not exposed. At the end of the day you HAVE to find the user record and hashing the username only makes that harder and doesn't provide you any real security benefits.
Additional worthwhile security reading can be found here
来源:https://stackoverflow.com/questions/27473887/how-to-authenticate-user-against-salted-and-hashed-password-and-username