Home > Tutorials > PHP Tutorials

How to store user password security

Source: Internet
Author: User
Tags cryptographically secure dot net
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
First: The basics: Add salt hash (Hashing with salt)

We already know how quickly malicious attackers use query tables and rainbow tables to crack common hash encryption. We have also

It is understood that this problem can be solved by using a random salt hash. But, what kind of salt value do we use, and how will it

Mixed in with the password?

The salt value should use an encrypted secure pseudo-random number generator (cryptographically secure pseudo-random

Number Generator,csprng) is generated. Csprng and ordinary pseudo-random number generators are very different,

The rand () function, such as the "C" language. As the name implies, CSPRNG is designed to be used for cryptographic security, which means it can

A random number that is highly random and completely unpredictable. We don't want the salt value to be predicted, so we have to use CSPRNG.

The following table lists some of the csprng methods for the current mainstream programming platform.

Platform csprng
Php Mcrypt_create_iv, Openssl_random_pseudo_bytes
Java Java.security.SecureRandom
Dot NET (C #, VB) System.Security.Cryptography.RNGCryptoServiceProvider
Ruby SecureRandom
Python Os.urandom
Perl Math::random::secure
C + + (Windows API) CryptGenRandom
Any language on Gnu/linux or Unix Read From/dev/random Or/dev/urandom

Each user's password must use a unique salt value. Each time a user creates an account or changes a password, the password should take a new random salt value.

Never re-use a salt value. This salt value should also be long enough to allow for a sufficient amount of salt to be used for hash encryption. One rule of thumb is that salt

The value must be at least as long as the output of the hash function. The salt should be stored in the user account table along with the password hash.

Steps to store your password:

    1. Use CSPRNG to generate a sufficiently long random salt value.

    2. Mix salt values with passwords and encrypt them using a standard password hash function, such as Argon2, Bcrypt, Scrypt, or PBKDF2.

    3. The salt value is stored in the user database along with the corresponding hash value.

To verify the password:

    1. Retrieves the user's salt value and the corresponding hash value from the database.

    2. The salt value is mixed with the password entered by the user and is encrypted using a generic hash function.

    3. Compares the result of the previous step with the same hash value as the database store. If they are the same, the password is correct; otherwise, the password is incorrect.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
how to change password for oracle user how to change user password on linux how to set password for postgres user how to get user password from ldap how to hack php website user password how to reset user password in oracle how to change ldap user password

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More