A security password protection mechanism based on salt +sha algorithm

Source: Internet
Author: User
Tags cryptographically secure password protection

password by adding salt, you can increase the complexity of the password, even if the simplest password, after adding salt, can also become a complex string, which greatly improve the difficulty of password cracking. However, if the salt is hard coded in the program or randomly generated, each password hash using the same salt will reduce the system's defensive force, because the same password hash two times after the same result. So it's a good idea to use a new random salt every time you create a user or change your password .


Many users may think of the user name as a salt scheme, although the user name may be different for each user, but the user name is predictable, not completely random. Attackers can use the common user name as salt to make query tables and rainbow table crack hash.


We usually use cryptography to learn the reliable and secure pseudo-random number generator (cryptographically secure pseudo-random numbers Generator (CSPRNG)) to generate salt. As its name suggests, CSPRNG provides a high standard of random numbers, which is completely unpredictable. In Java, you can use Java.security.SecureRandom to build.


In addition, in a Web application, we are going to hash on the server, not the client . Because if the hash in the client, even if the transmission is not clear text, if the malicious hackers get the user's hash, you can directly log in the account. Even do not need to know the customer's plaintext password, there is no need to crack the hash. We need to remember that client hash is not a substitute for https .

/** *  get random salts  *  @return  */public static  string getsalt () {securerandom sr;    byte[] salt = new  byte[16];    try {      sr =  Securerandom.getinstance ("sha1prng",  "SUN");       sr.nextbytes (salt);     } catch  (exception e)  {       E.printstacktrace ();     }         return  salt.tostring ();} 
/** * sha2  Add salt encryption  *  @param  encryptStr  strings that need to be encrypted  *  @param  salt   Salt  *  @return  */public static string sha2encryptsalt (STRING ENCRYPTSTR,  string salt) {messagedigest md = null;         string encryptcode = null;        byte[] bt  =  (Encryptstr + salt). GetBytes ();         try  {            md =  Messagedigest.getinstance ("SHA-256");             Md.update (BT);            encryptcode =  Bytes2hex (Md.digest ());         } catch  ( Nosuchalgorithmexception e)  {  &NBsp;         return null;         }        return encryptcode;}


This article is from the "This person's IT World" blog, be sure to keep this source http://favccxx.blog.51cto.com/2890523/1738655

A security password protection mechanism based on salt +sha algorithm

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.