问题
I stored salt and hash values of password during user registration... But during their login i then salt and hash the password given by the user, what happens is a new salt and a new hash is generated....
string password = collection["Password"];
reg.PasswordSalt = CreateSalt(6);
reg.PasswordHash = CreatePasswordHash(password, reg.PasswordSalt);
These statements are in both registration and login....
salt and hash during registration was eVSJE84W and 18DE22FED8C378DB7716B0E4B6C0BA54167315A2
During login it was 4YDIeARH and 12E3C1F4F4CFE04EA973D7C65A09A78E2D80AAC7..... Any suggestion....
public static string CreateSalt(int size)
{
//Generate a cryptographic random number.
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
// Return a Base64 string representation of the random number.
return Convert.ToBase64String(buff);
}
public static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = String.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(
saltAndPwd, "sha1");
return hashedPwd;
}
回答1:
Right now you are generating a different salt upon registration and login. You need to use the same salt for hashing or you will get different hashes. That is to say you need store the salt into the database along with the password and reuse it to hash when the user tries to login later.
Steps:
- User registers and provides a plain text password
- You generate a new random salt and use it to hash the plain text
- You store the salt and the hash into the database
- Later the user tries to login by providing a new plain text password. You fetch the hash and the salt from database
- You use the salt to hash the plain text
- Compare the two hashes
来源:https://stackoverflow.com/questions/2863352/comparing-salt-and-hashed-passwords-during-login-doesnt-seem-work-right