In-depth analysis of the principle of password plus salt

We know that if the password is hashed directly, hackers can obtain the hash value of the password, and then query the hash value Dictionary (for example, MD5 password cracking website ), obtain the password of a user.

Add Salt can solve this problem to some extent. The so-called add Salt method is to add some "condiments ". The basic idea is as follows: when a user provides a password for the first time (usually during registration), the system automatically adds "condiments" to the password and then hashes it. When a user logs on, the Code provided by the system for the user is sprinkled with the same "seasoning", and then hash, and then compare the hash value. It is determined that the password is correct.

The "seasoning" here is called the "Salt value", which is randomly generated by the system and only known by the system. In this way, even if two users use the same password, their hash values are different because the system generates different salt values for them. Even if hackers can use their own passwords and their own hash values to find users with specific passwords, the probability is too small (the passwords and salt values must be the same as those used by hackers ).

The following example uses PHP to illustrate the md5 ($ pass. $ salt) encryption function.

Copy codeThe Code is as follows: <? Php
Function hash ($ ){
$ Salt = "Random_KUGBJVY"; // defines a salt value, a random string specified by the programmer.
$ B = $ a. $ salt; // connect the password to salt
$ B = md5 ($ B); // execute the MD5 hash.
Return $ B; // returns a hash.
}
?>

Call method: $ new_password = hash ($ _ POST [password]); // The value submitted by the form is accepted and encrypted.

The following describes the process of adding a Salt hash. I would like to emphasize one point before the introduction. As mentioned above, the "same" seasoning should be used when the password is verified and the original hash password is used. Therefore, the Salt value is stored in the database.

When a user registers,

The user enters the account and password (and other user information), the system generates the Salt value for the user, and the system connects the Salt value and user password; hash value is obtained by hashing the connected values. Hash Value 1 and Salt value are placed in the database respectively.
When a user logs on,

The user enters the account and password. The system uses the user name to find the corresponding Hash value and Salt value ]; the system connects the Salt value and the password entered by the user. The connected values are hashed, get [Hash value 2] (note that it is the value calculated in real time). Compare whether [Hash value 1] and [Hash value 2] are equal. If they are equal, the password is correct, otherwise, the password is incorrect.
Sometimes, to reduce the development pressure, programmers will use a single salt value (stored somewhere) instead of generating private salt values for each user.