这是可能的。这实际上是Kerberos身份验证，只有添加了香料的一点点。为了确保您的身份验证机制是安全的，则需要以下内容：

This is possible. This is actually what Kerberos authentication does, only with a little bit of added spice. To ensure that your authentication mechanism is secure, you need the following:

1. 在客户端和服务器上的一个常见的​​哈希算法。


2. 在服务器上生成，并与客户共享的一次性盐值。


3. 存储在数据库中的原来的密码。

要安全验证通过散列code用户，让您避免跨线发送实际的密码时，先在服务器上生成一个随机的，一次性使用的盐值。这种盐值与用户输入的密码腌制版本发送到客户端，并生成一个散列code。发送结果散列code键的服务器，并将其与从所存储的密码的盐腌版本生成的哈希code进行比较。如果比较失败，则丢弃该盐，重新生成新的盐值，并且重复此过程。

To securely authenticate a user via hash code, so you avoid sending the actual password across the wire, first generate a random, single-use salt value on the server. Send this salt value to the client, and generate a hash code from the salted version of the password the user has input. Send the resulting hash code to the server, and compare it with a hash code generated from the salted version of the stored password. If the comparison fails, discard the salt, regenerate a new salt value, and repeat the process.

究其原因，单次使用的盐是prevent任何人捕捉用户密码，当您使用哈希code比较，是一样的哈希值code收听谈话好，因为有密码本身。

The reason for the single-use salt is to prevent anyone listening to the conversation from capturing the hash code of the users password, which, when you use hash code comparison, is just as good as having the password itself.

请注意，你需要保持原来的密码你身边，你无法散列一次在服务器上保存的哈希数据库。如果你需要确保存储在数据库密码也安全的，则需要将它们存储前将其加密。我相信，ASP.NET成员资格提供者让你，完全是靠自己的存储密码加密，但是如果你真的希望有一个安全的身份验证机制是难以被黑客破解，那么我会建议处理密码存储和检索。

Note that you need to keep the original password around, you can't hash it once on the server and save the hash in the database. If you need to ensure that the passwords stored in your database are also secure, then you will need to encrypt them before storing them. I believe that ASP.NET membership providers do allow you to store passwords encrypted, however, if you really wish to have a secure authentication mechanism that is difficult for a hacker to crack, then I would recommend handling password storage and retrieval entirely on your own.

最后，我要指出的是，如果你使用SSL来验证在你的连接进行加密这样一个复杂的密码传输机制应该是大可不必。

Finally, I should note, that such a complex password transfer mechanism should be largely unnecessary if you use SSL to encrypt your connection during authentication.

参考（对于那些从来没有听说过Kerberos或SRP的是谁）：

References (for those who have never heard of Kerberos or SRP):

http://en.wikipedia.org/wiki/Kerberos_ （协议）
http://en.wikipedia.org/wiki/Secure_remote_password_protocol