Interesting Password Encryption Policy. Do you know how your password is stored on your website?

Interesting Password Encryption Policy. Do you know how your password is stored on your website?
In the early days of hash encryption, the system may directly store the user's plaintext password, and the password will be saved for what it is, and then each verification will directly match. later, people began to use Hash encryption to obtain the common ciphertext.

The simplest ciphertext-based Password Storage Policy (usually the MD5 encryption method) is shown below:

The hash algorithm is a one-way function that converts data of any size into ciphertext with a uniform length and cannot be used for reverse calculation. in addition, the conversion results of different data through hash functions are different.

What really compares in the program is the ciphertext hash value, which is only authorized when the same. do not tell whether the user name is incorrect or the password is incorrect. Just give a fuzzy prompt to prevent attackers from traversing the available user name without knowing the password.

Not all hash functions are secure and suitable for encryption. some hash functions are used for data structures such as hash tables for quick search. hash functions such as SHA256, SHA512, and RipeMD are used for encryption.

Finally, it should be noted that hash encryption is too easy to crack. It is not safe from the current situation.
Why is hash Encryption not secure? The reason for this is that hash encryption is not secure because there are many ways to crack it. In view of the current computer performance (the CPU has reached a bottleneck, and now the performance of ordinary laptops is almost the super computer 20 years ago) as well as hacker technology advances, many websites provide the hash cracking function. the following lists some common cracking methods:

Brute-force cracking (this is one of the unblocking methods. It is very inefficient to try combinations of various characters under a given length, but the password will eventually be obtained through traversal, it is equivalent to trying all the possibilities)

Dictionary attacks (also one of the unblocking methods, which is equivalent to an upgraded version of brute-force cracking. By collecting commonly used words, phrases, and passwords, all the attacks are stored, compare these closer data and try to guess)

Look-up table method (pre-calculate each password in the password dictionary, and store the hash value and the corresponding password in a data structure of the fast-forward query, and then query this table)

Rainbow table)

Legend has it that the rainbow table is powerless to add salt.

The above several methods are based on a basic principle. All passwords are hash encrypted in the same way. that is to say, if the two accounts have the same plaintext password, the ciphertext obtained after hash is the same. if we can use some 'small methods' to make them different, the difficulty of cracking is exponential doubling.

The specific method is to add a "randomization" string to the password and then hash it. in this way, the rules for ing the original plain text to the same ciphertext are disrupted. The mixed 'random' string is the so-called 'sale '.

These ideas are not complex, but most people in real work will still make some "mistakes", which makes our materials not good, such:

The length of "salt value" is too short (usually the same as the ciphertext length) or "salt value" is repeated.

Hash Functions are nested or used in combination (it is very important that you do not believe in an encryption method that you have invented and use the standard algorithm developed by cryptographic experts)

Avoid outdated or low-end hash functions, such as MD5 and SH1. We recommend SH256 and SH512.

The generation of "salt value" is not a random rand () function. You must use an encrypted pseudo-random function generator to increase the degree of randomness.