How to prevent passwords from being cracked

What algorithm would you use to save your password for your users? If you are still using the plaintext, then once your site is hack, then all your user passwords will be leaked, which means that your system or website is finished. Therefore, we need to pass some irreversible algorithm to save the user's password. For example: MD5, SHA1, SHA256, SHA512, SHA-3, and other hash algorithms. These algorithms are non-reversible. In verifying the user's password, the system needs to compare the password after the hash encryption with the password in the database behind the password, if the agreement is verified through.

But do you think these algorithms are good? I said: MD5, SHA1, SHA256, SHA512, SHA-3. If you use the MD5 algorithm to encrypt your password, if your password length is only lowercase letters plus numbers, assuming that the password length is 6 bits, then on a relatively new PC, it only takes 40 seconds to exhaustive all the passwords. As far as we know, almost 90% of users use only lowercase letters and numbers to organize their passwords. For a 6-bit length password It will only take up to 40 seconds to hack it, which may scare you.

If you're willing to spend $2000 and a week building a cuda, you can use a password-exhaustive operation in the cluster that you build, with a speed of 1 seconds to calculate 700 million passwords. For the actual use of the more complex password, its crack rate can be as high as one per second. Of course, the algorithm mentioned here is an algorithm such as Md5,sha.

So, what do we do about a situation like this? There's a way we can do that.

We know Md5,sha's algorithm is too fast. So, we need a "slow" encryption algorithm. Oh. Bcrypt is such an algorithm, because it is very slow, for the computer, it is a bit slow BT, but it is just a good slow! It is not slow to verify the user's password, which makes the computer seem like a snail to the brute-user password.

Because Bcrypt uses a range of different blowfish encryption algorithms and introduces a work factor, this working factor allows you to decide how much the algorithm will cost. Because of this, the algorithm does not cause the computer CPU processing speed to become faster, and the time of the algorithm will be shortened. Because, you can add work factor to reduce its performance. Oh.

So, how slow is bcrypt? If you compare with MD5, if you use work factor with a value of 12, if you encrypt "cool", Bcrypt takes 0.3 seconds, and MD5 only takes a microsecond (one out of 10,000 seconds). That is, the earlier we said that only 40 seconds can be poor to lift all the possible MD5 encoded password algorithm, under the use of bcrypt, it takes 12 years.

This is the choice bcrypt gives you, you can have a secure password and a fast encryption algorithm, or a less secure password and a poorly performing encryption algorithm .

(Reproduced this site article please indicate the author and source of cool Shell –coolshell.cn, do not use for any commercial use)

How to prevent passwords from being cracked