I originally wanted to randomly form a mobile phone verification code, write it into the database when I submitted it, and then read it for comparison. In this way, I wanted to look up the table, so I thought of another method, it is to re-combine the entered mobile phone into a verification code, which is regularly formed and registered members can be valid for a long time. This method... I originally wanted to randomly form a mobile phone verification code, write it into the database when I submitted it, and then read it for comparison. In this way, I wanted to look up the table, so I thought of another method, it is to re-combine the entered mobile phone into a verification code, which is regularly formed. registered members can be valid for a long time. This method does not need to write tables, that is, it does not know how secure it is, will it be easily cracked?
Reply content:
I originally wanted to randomly form a mobile phone verification code, write it into the database when I submitted it, and then read it for comparison. In this way, I wanted to look up the table, so I thought of another method, it is to re-combine the entered mobile phone into a verification code, which is regularly formed. registered members can be valid for a long time. This method does not need to write tables, that is, it does not know how secure it is, will it be easily cracked?
Long-term effectiveness is obviously problematic. You need to consider the possibility of leakage. As for cracking, find a well-designed hash algorithm, as long as the key information in the algorithm is not leaked, you don't have to worry about this problem.
A work und is to associate the verification code with a certain time point, for example, md5 (md5 (time + phone) + secret). In this example, time is the latest time, and secret is the key, calculate the last 6 digits of the hash value, and the validity period is 2 hours (the specific validity period and time policy can be adjusted according to actual needs). During verification, the last two whole points are replaced, if there is a match, it passes. In this way, as long as the secret does not leak, it can ensure that the secret is not cracked and not afraid of the previous verification code leakage. Even if the secret leaks, you can just change it :)
(It seems like the dynamic keys in some bank U shield, but I don't know how they are implemented)