C#，asp.net 密码在用盐散列后不匹配

Question

我已经为 password.Before 使用了带盐的散列法我实现了散列法，我有一个存储过程用于检查文本框值与数据库中的值并且代码工作正常。通过密码实现散列法之后不匹配，我检查了数据库中的散列值和我输入的密码，两者都在 google 中查找 same.I 一些人建议在数据库中手动输入密码值将导致 issue.So 我创建了一个用户注册表并在那里散列密码并将其存储在 database.Can 任何人请指导我哪里出错了。

我的登录页面代码：

 using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Web;
    using System.Web.UI;
    using System.Web.UI.WebControls;
    using System.Configuration;
    using System.Data.SqlClient;
    using System.Data;
    using System.Security.Cryptography;

    namespace taxiservices
    {
        public partial class adminlogin : System.Web.UI.Page
        {
            String Salt;
            String Hash;
            String Pwd;
            protected void Page_Load(object sender, EventArgs e)
            {

            }

            public string SaltedHash(string password)
            {
                Salt = "salthashtestsalthashtestsalthashtestsalthashtestsalthashtestsalthashtestsalthashtestsalthashtest";
                Hash = ComputeHash(Salt, password);
                return Hash;

            }

            static string ComputeHash(string salt, string password)
            {
                var saltBytes = Convert.FromBase64String(salt);
                using (var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, saltBytes, 1000))
                    return Convert.ToBase64String(rfc2898DeriveBytes.GetBytes(256));
            }

            public static bool Verify(string salt, string hash, string password)
            {
                return hash == ComputeHash(salt, password);
            }

            protected void Button1_Click(object sender, EventArgs e)
            {
                Session["username"] = username.Text.ToString();
                 Pwd=SaltedHash(password.Text.ToString());
                 Response.Write(Pwd);
                string query;
                string ConnectionStringnew = ConfigurationManager.ConnectionStrings["ConnectionStringName"].ConnectionString;
                using (SqlConnection con = new SqlConnection(ConnectionStringnew))
                {
                    query = "Emplogin";   //stored procedure Name
                    SqlCommand com = new SqlCommand(query, con);
                    com.CommandType = CommandType.StoredProcedure;
                    com.Parameters.AddWithValue("@Usename", username.Text.ToString());   //for username 
                    com.Parameters.AddWithValue("@Password",Pwd);  //for password

                    con.Open();

                    int usercount = (Int32)com.ExecuteScalar();// for taking single value
                    con.Close();
                    if (usercount == 1)  // comparing users from table 
                    {

                        Session["user"] = "valid";

                        Response.Redirect("adminhomepage.aspx");  //for sucsseful login
                    }
                    else
                    {

                        Label2.Text = "Invalid User Name or Password";  //for invalid login
                    }



                }
            }

            protected void username_TextChanged(object sender, EventArgs e)
            {

            }
        }
    }

用户创建密码的页面：

 using System;
    using System.Collections.Generic;
    using System.Configuration;
    using System.Data.SqlClient;
    using System.Linq;
    using System.Security.Cryptography;
    using System.Web;
    using System.Web.UI;
    using System.Web.UI.WebControls;

namespace taxiservices
{
    public partial class changepassword : System.Web.UI.Page
    {
        String Salt;
        String Hash;
        protected void Page_Load(object sender, EventArgs e)
        {


        }

        protected void TextBox2_TextChanged(object sender, EventArgs e)
        {

        }
        public string SaltedHash(string password)
        {
            Salt="salthashtestsalthashtestsalthashtestsalthashtestsalthashtestsalthashtestsalthashtestsalthashtest";
            Hash = ComputeHash(Salt, password);
            return Hash;
        }

        static string ComputeHash(string salt, string password)
        {
            var saltBytes = Convert.FromBase64String(salt);
            using (var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, saltBytes, 1000))
                return Convert.ToBase64String(rfc2898DeriveBytes.GetBytes(256));
        }

        protected void Button1_Click(object sender, EventArgs e)
        {

            string Pwd = SaltedHash(TextBox2.Text);
            string ConnectionStringn = ConfigurationManager.ConnectionStrings["ConnectionStringName"].ConnectionString;
            using (SqlConnection con = new SqlConnection(ConnectionStringn))
            {
                using (SqlCommand cmd = new SqlCommand("INSERT INTO Users(Username,Password) VALUES(@User,@password)"))
                {
                    cmd.Connection = con;
                    cmd.Parameters.AddWithValue("@User", TextBox3.Text);
                    cmd.Parameters.AddWithValue("@password", Pwd);
                    con.Open();
                    cmd.ExecuteNonQuery();
                    con.Close();

                }
            }
        }
    }
}

存储过程：

    Create  procedure Emplogin
(
@Usename Varchar (20),
@Password varchar (10)
)
as
Begin
Select COUNT(*)from Users where username=@Usename and password=@Password 
End

Answer 1

当您将详细信息传递给 Emplogin 存储过程时，它只会获取加盐密码的前 10 个字符（它会截断其他 246 个字符）。当它根据您的 Users 数据库检查这个十个字符的字符串时，没有找到匹配项。

您应该调整您的 Emplogin 程序，使 @Password 变量的长度与 Users table 中的 password 列的长度匹配。

C#，asp.net 密码在用盐散列后不匹配

C#,asp.net Passwords are not matching after hashing with salt

c#

asp.net

hash

salt