How do hackers know the username abcd and ciphertext?
Client does not require encryption
You only need to follow the normal user name and password to log on.
Then, the server performs the md5 (md5 (password) + salt) operation on the password to generate the encrypted password. Salt is obtained from the database.
Compare with the encrypted password in the database.
If they are the same, the logon is successful. Otherwise, the logon fails.
The advantage of this approach is that even if the database is hacked, the user's plaintext password cannot be known.
The server password is so different.
If ($ row ['pwd'] = md5 ($ _ POST ['pwd']) {
//
}
Even if someone else knows the password after MD5, but comes to the server, it needs to be encrypted again, or encrypted multiple times and then compared.
Even if hackers hacked into your database, they obtained your member's username and encrypted password, because md5 encryption is basically irreversible, therefore, hackers cannot call the services you know to perform login operations.
However, one layer of md5 encryption is not very secure, and many websites provide md5 decryption. We recommend that you encrypt the md5 data multiple times or add your custom string and then encrypt it in md5 (md5 (user_passwd.your_defined_string )).
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
