Discussion on MD5 encryption for website security

The MD5 encryption algorithm is used a lot during website development. First, we need to encrypt the user's password and store it in the database.
In fact, it is very simple to implement MD5 encryption on data (strings) in C.
Reference using System. Security. Cryptography;
Public string Md5 (string str)
{
MD5 md5 = new MD5CryptoServiceProvider ();
Byte [] data = md5.ComputeHash (UnicodeEncoding. Default. GetBytes (str ));
StringBuilder strBuilder = new StringBuilder ();
For (int I = 0; I <data. Length; I ++)
{
StrBuilder. Append (data [I]. ToString ("x2 "));
}
Return strBuilder. ToString ();
}
In this way, a 32-Bit String is returned.
However, when we look at other people's database data, we will find that the PASSWORD is 16 bits.
This is calculated as follows:
Md5 calculation (admin) = 2123 2f29 7a57 a5a7 4389 4a0e 4a80 1fc3;
16 = 7a57 a5a7 4389 4a0e; in fact, the 32-bit encryption is based on its weight of 9th to 24 bits. That is, substring (8, 16 ).
In fact, when I looked at other people's databases, I found that there were 40 BITs (mainly because there were too many MD5-cracking websites, and MD5 encryption was not that secure, so some people have changed their positions to 40 again. In fact, 40 bits are simple, and the transformation is not complicated .) :
Let's take a look at how it is computed:
40-bit: 7a57 a5a7 4389 4a0e 4a80 1fc3 4389 4a0e 4a80 1fc3
First 16 bits: The MD516 bits of encryption 7a57 a5a7 4389 4a0e.
The remaining 24 bits: 4a80 1fc3 4389 4a0e 4a80 1fc3
It is not hard to find: 4a80 1fc3 = MD532-bit encrypted last 8-bit + 4389 4a0e = MD516-bit encrypted last 8-bit + 4a80 1fc3 = MD532-bit encrypted last 8-bit.
Therefore, the core is to save the first 16 digits. With these 16 bits, we can ensure the correctness of the data. The rest are confusing. You can also perform other transformations. For example, if I encrypt it (admin) by 16, place it first and then separate it. Then, place the string in the middle according to your own algorithm. Generate a 40-bit password.
Why?
In fact, the current SQL injection is still very serious. In case of an injection vulnerability on our website, some hackers (script children) Get the account and password, and the password is 40 bits. It began to gain access. I thought about what encryption is. (In fact, there are many encryption algorithms .) Sorry, this is what you think. In this way, some threats can be avoided. Isn't it?
In addition, the password length is in the format of 13 characters including numbers, letters, uppercase and lowercase letters, and @ characters.
Example: AiaoqQ @ 91b91b
This is my password specification: the password before @ is written in uppercase and lowercase letters.
@ Is followed by a number, but if 8 is displayed, I will replace it with B.
It's easy to remember: xiaoqq, my nickname, 918 my birthday is repeated once. 8 = B.
I hope this article will be helpful to some people.

From the study in Xiaoqi