Analysis and _php techniques of deep password plus salt principle

Source: Internet
Author: User
Tags md5 md5 hash php example

We know that if you hash the password directly, the hacker can get a user's password by getting the password hash value, and then by checking the hash value dictionary (such as MD5 password to crack the website).

Adding salt can solve this problem to some extent. The so-called salt method, is to add a "seasoning." The basic idea is this: When a user first provides a password (usually when registering), the system automatically scatters some "condiments" into the password and then hashes. When a user logs on, the system gives the user the same "seasoning" code, then hashes, and then compares the hash value to determine if the password is correct.

The "seasoning" here is called the "salt value", which is randomly generated by the system and is only known by the system. In this way, even if two users use the same password, their hash values are different because the system produces different salt values for them. Even if a hacker can find a user with a specific password with his or her own hash value, the odds are too small (passwords and salt will have to be the same as the hacker uses).

The following PHP example explains the MD5 ($pass. $salt) Cryptographic functions.

Copy Code code as follows:

<?php
function hash ($a) {
$salt = "Random_kugbjvy"; Defines a salt value, a random string that the programmer prescribes
$b = $a. $salt; Connect the password with the salt
$b =md5 ($b); Execute MD5 Hash
return $b; return Hash
}
?>

Call mode:$new _password=hash ($_post[password]); This accepts the form submission value and encrypts it

The following is a detailed description of the salt hashing process. Before you introduce, you should use the "same" condiment when validating passwords using and initially hashing passwords. So the salt value is stored in the database.

When a user registers,

User input "account" and "password" (and other user information); The system generates "salt values" for the user, the system connects salt values and user passwords, hashes the concatenated values, gets "hash value", and Places "hash value 1" and "salt value" in the database separately.
When a user logs on,

User input "account" and "password", the system through the user name to find the corresponding "hash value" and "salt value"; The system connects "salt value" and "User entered password" together, hashes the concatenated values, and gets "hash value 2" (Note that the value is immediately calculated); Hash value 1 "and" hash value 2 "are equal, equality means that the password is correct, otherwise indicates a password error.
Sometimes, in order to mitigate development pressures, programmers use a salt value (stored somewhere) uniformly, rather than generating private salt values for each user.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.