Add salt to user passwords

Add salt to user passwords

To avoid wasting your time, follow these steps.
If you do not know the following details, you can refer to this article: use MD5 to protect the user password stored in the database


After MD5 processing of important data directly, reverse decryption is indeed very difficult, but it can still identify flaws, please refer:


If a user named Li Zi can view the database, then he can observe that his or her password is the same as others' encrypted passwords. Then, others use the same password as their own, in this way, you can use someone else's identity to log on.

So is our previous encryption method ineffective? In fact, you only need to confuse it a bit to prevent it. This is called "adding salt" in encryption terms ". Specifically, other components are added to the original materials (User-Defined passwords) (generally user-owned and unchanged factors) to increase system complexity. When the salt is combined with the user password, the Digest can be used to obtain a more concealed digest value. See the code below:

// Encrypt the password after adding salt, and then store it in the database through hibernate
String changedpswd = digestutils. md5hex (name + pswd );

This is simple. In the above Code, salt is the user name. If you can, you can also use non-empty information such as the email and registration time when the user registers (if it is empty, the salt adding process will be invalid ).

The following is a record of two users in the database. Their actual logon passwords are both 123456, but the user records alone are completely invisible. The passwords that people with ulterior motives can see when they open the database are completely different, and their previous methods fail.


It's easy to add salt. Thank you for seeing this.

 

From: http://www.blogjava.net/heyang/archive/2010/11/28/339233.html