Website Registration login, password How to encrypt?
On the internet read a lot of this article, all say the client's password, login to use MD5 encryption after the server, and then the server and the database of salt and encrypted password to compare
I don't know, if that's what it is.
Suppose the user name of a user is ABCD and the password is 123456. MD5 after encryption is: e10adc3949ba59abbe56e057f20f883e
For hackers, he accidentally acquired the user name: ABCD, Password: e10adc3949ba59abbe56e057f20f883e
At this point he does not need to know that the ABCD password is 123456, but also do not have to understand how e10adc3949ba59abbe56e057f20f883e is generated, he only need to enter the user name: ABCD, Then the password: e10adc3949ba59abbe56e057f20f883e to invoke the service to log in.
How to avoid this situation?
------Solution--------------------
How does a hacker know the user name ABCD and cipher text?
------Solution--------------------
Client does not need encryption
Just log in as a normal username and password.
The server side then performs a MD5 (MD5 (password) +salt) operation on the password, generating the encrypted password. The salt is fetched from the database.
And the encrypted password in the database.
The same is logged in successfully, otherwise the login fails.
The advantage of this approach is that even if the database is hacked into, it is not possible to know the user's plaintext password.
------Solution--------------------
The password for the server is so comparable
if ($row [' pwd '] = = MD5 ($_post[' pwd ')) {
//
}
Even if others know the password after the MD5, but come to the server, but also need to encrypt again, or encrypt multiple times to compare.
------Solution--------------------
Hackers even hacked into your database, got your member's username and encrypted password, because MD5 encryption is basically irreversible, so hackers are unable to invoke your known services to implement the login operation.
But a layer of MD5 encryption is not very secure, many sites provide MD5 decryption. It is recommended that you encrypt the MD5 multiple times or add your own custom string and then encrypt it in MD5 (MD5 (user_passwd.your_defined_string)).
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.