Hash和Salt Umbraco 默认的password存储方式
2024-08-29 21:39:19
本文章转载自 http://blog.reneorban.com/2014/10/hash-and-salt-umbraco-passwords.html
By default right now (I'm testing on version 7.1.4) Umbraco one way hashes both Member and User passwords for you. However also by default it will not salt your passwords. Salting passwords is nearly as important as hashing in the first place. For example if "johny48@email.com" was to sign up for your website with the password "test" it would by default produce a entry in the database like this:
As you can see the password is hashed to the value "W477AMlLwwJQeAGlPZKiEILr8TA=". However there is no salt on this password, so if "kate39@example.com" came along and also registered using the password "test" we would get the same hash value:
This is not very good from a security point view. These values could very easily be rainbow tabled (just type "W477AMlLwwJQeAGlPZKiEILr8TA=" into google and you will most likely find the original value).
Enabling Password salting
Umbraco actually supports hashing and salting as standard and its very easy to enable. Within your Web.Config file you will find a node called "membership". Under this node you will find two providers named "UmbracoMembershipProvider" and "UsersMembershipProvider". By default these will have the attribute "passwordFormat" set to "Hashed" - brilliant! However there is a second option named "useLegacyEncoding" that by default it is set to "True". This is what causes the non salted passwords. To enable salting simply set "useLegacyEncoding" to "False". You can see what this will do by looking at their code on their GitHub.
After setting "useLegacyEncoding" to "False" I can update my members password to "test" again and we will be generated two completely different hash values.
The Catch
Now there is a catch to this. Because we have changed the way that passwords are validated and stored poor johny48 and kate39 will no longer be able to log into our site. They will have to update/change their passwords before their able to once again login.
So if you have a existing site with members and users this might cause you a few problems...However if your starting a site fresh this really is a must.
Additionally because there are two different membership providers you could enable salting for just members and not users or vice versa.
最新文章
- 熊乐:H3 BPM为加速企业流程管理提供源动力
- hibernate一对一外键双向关联
- Lr中关于字符串的截取
- 查看sbt版本
- [LINK]php的三种CLI常量:STDIN,STDOUT,STDERR
- linux 操作mysql
- 用Application和Session统计在线人数[转]
- [转]UOS 中的虚拟网络设备
- [百度空间] --whole-archive &; --no-whole-archive
- linux下使用vim替换文件中的^M换行符
- CentOS 6.4 64位 安装 apache-tomcat-6.0.43
- JQuery简单实现图片轮播效果
- pythond对象、异常、反射的学习笔记
- Log4j MDC Tomcat下报异常org.apache.log4j.helpers.ThreadLocalMap
- Proving Equivalences(加多少边使其强联通)
- JavaEE XML DOM创建
- Linux 挂载aliyun数据盘
- enote笔记语言(2)(ver0.3)
- (二)plist的使用和序列帧动画
- cocos2d JS 自定义事件分发器(接收与传递数据) eventManager