password by adding salt, you can increase the complexity of the password, even if the simplest password, after adding salt, can also become a complex string, which greatly improve the difficulty of password cracking. However, if the salt is hard coded in the program or randomly generated, each password hash using the same salt will reduce the system's defensive force, because the same password hash two times after the same result. So it's a good idea to use a new random salt every time you create a user or change your password .
Many users may think of the user name as a salt scheme, although the user name may be different for each user, but the user name is predictable, not completely random. Attackers can use the common user name as salt to make query tables and rainbow table crack hash.
We usually use cryptography to learn the reliable and secure pseudo-random number generator (cryptographically secure pseudo-random numbers Generator (CSPRNG)) to generate salt. As its name suggests, CSPRNG provides a high standard of random numbers, which is completely unpredictable. In Java, you can use Java.security.SecureRandom to build.
In addition, in a Web application, we are going to hash on the server, not the client . Because if the hash in the client, even if the transmission is not clear text, if the malicious hackers get the user's hash, you can directly log in the account. Even do not need to know the customer's plaintext password, there is no need to crack the hash. We need to remember that client hash is not a substitute for https .
/** * get random salts * @return */public static string getsalt () {securerandom sr; byte[] salt = new byte[16]; try { sr = Securerandom.getinstance ("sha1prng", "SUN"); sr.nextbytes (salt); } catch (exception e) { E.printstacktrace (); } return salt.tostring ();}
/** * sha2 Add salt encryption * @param encryptStr strings that need to be encrypted * @param salt Salt * @return */public static string sha2encryptsalt (STRING ENCRYPTSTR, string salt) {messagedigest md = null; string encryptcode = null; byte[] bt = (Encryptstr + salt). GetBytes (); try { md = Messagedigest.getinstance ("SHA-256"); Md.update (BT); encryptcode = Bytes2hex (Md.digest ()); } catch ( Nosuchalgorithmexception e)  {  &NBsp; return null; } return encryptcode;}
This article is from the "This person's IT World" blog, be sure to keep this source http://favccxx.blog.51cto.com/2890523/1738655
A security password protection mechanism based on salt +sha algorithm