Reference documents
Http://www.cnblogs.com/richardlee/articles/2511321.html
Https://en.wikipedia.org/wiki/Salt_%28cryptography%29
Https://www.91ri.org/7593.html
Why can't the password store be clear text?
If the account password is stored in plaintext, the user's account will be compromised in the event that the website has obtained data from the hacker. (term called Drag library)
When hackers know your account, they can use this account to try to access other websites, such as websites with strong connections, banks, etc. (term called Crash Library)
Generally speaking, the average user in order to reduce the password memory burden, it is easy to set the same password on all sites.
In order to reduce the user registration process, the new site generally use public account certification services, such as (QQ, etc.), this can also reduce the risk of library collision.
Should passwords be stored in hash form?
It cannot be stored in clear text, and is naturally stored in ciphertext format.
If symmetric encryption is used, the encryption and decryption keys must be stored on the Web site, and once the keys and algorithms are compromised and the library is dragged away, the password can be computed directly, and the security of the password is still not guaranteed.
Password is stored in a hash, then ensure that the password can not be reversed, even if the site maintenance personnel, can not find out how much the original password. At most it can see a string of hash values.
Hackers even get the hash value, because the hash value can not be reversed, such as MD5 SHA, can only be bitterly.
This guarantees the security of the user's password.
Password calculation Hash Why should I add a salt?
Imagine, if for each password, are directly using some kind of hash algorithm, calculate to get hash value.
For some simple passwords, whose hash value is fixed, you can construct the hash value of all the easy-to-use passwords into a table,
When the hacker drags the library to the hash value of the password, it is compared with the hash value in the construction table, and if you are equal, the original value of the password is obtained.
So every year there are the weakest password rankings, reminding the vast number of Internet users, do not use simple password.
Http://tech.163.com/12/1029/04/8EV6LS9U000915BF.html
For each password to generate a random number (salt), the calculation of the hash value, the salt and password after splicing as the entry, the resulting hash value, you can solve a hash table, try to crack all the password problem.
But for a single password, its salt is also compromised, and if you construct a hash table with salt on the fly, you can also crack the password.
How do I add salt?
Http://www.cnblogs.com/richardlee/articles/2511321.html
How long should the salt is?
The salt should is at least as long as the hash function. For example, the If your hash function is a, and then you should has a salt of at least. I find that the easiest-generate enough salt is to generate a random string of hex characters that's the same Leng Th as the hash function output (with the hex characters for the bits). First and foremost, your salt should be long enough so, no, users ' passwords would ever be hashed using the same Sal T.
How does I generate the salt?
Use a cryptographically Secure pseudo-random number Generator (CSPRNG). Don't use your language's math library s rand () function. There'll is a proper csprng for your use. In PHP, it's Mcrypt_create_iv () and in. NET it ' s System.Security.Cryptography.RNGCryptoServiceProvider . The imporant thing is and the salt is a uniquefor each user. Using a high quality csprng to generate a long salt would practically guarantee uniqueness without needing to manually chec K If the salt has been used before.
How to choose the hash algorithm? What hash algorithm should I use?
do use:
- The SHA2 family-sha256 and SHA512
- RipeMD160
- WHIRLPOOL
- The PHP source code or the C # source code near the bottom of this page
do not use:
- MD5
- SHA0 or SHA1
- Crypt unless it uses SHA256 or SHA512
- Any algorithm this made yourself or hasn ' t gone through an intensive peer review process like the SHA3 competition
Is the password safe if you add salt?
No, adding a salt is more difficult to crack. But if the password itself is unsafe, for example a very simple rule of pure numbers, it can be easily cracked. Whether or not to add a salt.
So some Web sites require that passwords must contain alphanumeric characters, and that a special symbol must be added outside.
Salted Hash Password