"Add lock" dynamic password to your website easy to implement

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

With the popularization of network, the problem of network security is becoming more and more serious. And the famous technical exchange community CSDN burst more than 6 million users of clear text password exposure, Tianya 40 million user password also leaked in the world, followed by Renren, net, mop and so on, and even Jingdong Mall, Dangdang, Alipay, such as electronic business sites have burst the issue of password leakage, Tens of millions of of millions of user information naked exposed to the open network platform, let us worry about the network increasingly serious security problems.

Nowadays, many electric and bank websites use dynamic password service, which greatly protects the users ' information and fund security, the main ways are:

1, dynamic Password card: Similar to scraping card form, through the two indicators to determine the current password.

Common: Bank Password card, etc.

Disadvantages: Need to carry, and easy to be copied or photographed, relatively low security, and limited use.

2, hardware token: According to the special algorithm (generally for the time algorithm) to generate an unpredictable random number combination, each password can only be used once, or similar to the U shield type of hardware to be inserted into the data alignment.

Common: U shield, QQ token, etc.

Disadvantages: Need to carry, use more cumbersome, and to spend a lot of hardware costs;

3, mobile phone password: One is through the software to achieve dynamic password generation, another relatively simple, through the text to obtain authentication code to confirm identity;

Common: QQ mobile phone token, Alipay payment phone verification code, etc.

Disadvantages: Need and mobile phone binding, such as the replacement of mobile phone number is more troublesome, and sometimes will encounter delays or can not receive, the site needs to deploy a message platform, a large number of SMS needs a lot of costs;

Each of the above methods have its advantages, but there is a big problem, is not suitable for small and medium Web site deployment, all need to spend a lot of time and capital costs, and to add a lot of burden to users; so is there a more convenient and no cost security password solution?

The author through many years of experience in network construction, summed up and invented a simple and effective dynamic password implementation program, and applicable to various languages of the Web site, small and medium-sized sites can be quickly deployed.

Small and medium site user login commonly used in the way: "Username + password" or "username + password + authentication code"; Even if the use of MD5 encryption, also can not guarantee that the customer password will not be disclosed, because the password input process may be next to the person to see, or the computer backstage Trojan record, if you want to solve this problem, There is only one way to see people or to listen to the password Trojan fooled, that is to say, they see or record the password is not a real password, because the password is changing at any time!

Specific solution: The original "username + password" option can continue to retain (the verification code can be completely canceled), add a column dynamic password box, the verification requires three results to match to land.

Let's focus on how to design a dynamic password box: The author uses the "Time algorithm" to generate dynamic passwords, because time is changing every minute, with time to do algorithm, you can ensure the timeliness of dynamic passwords, that is: The next second of the password will be invalidated in the following seconds. For example, now the time is "14:28 minutes 54 seconds", then the dynamic password can be set to "142854", the background to get the current time set to "A", the value of the input box is "B", when the input "142854", then "b=a" validation through! To avoid the time difference of input, You can assign the time directly to "A" in the foreground and then compare it in the background.

Of course, in the actual use, we can not directly to the time as a dynamic password, so not only too simple, and not many people share the system, so we have to "time" on the basis of a fuss, that is, set each individual specific algorithm. Or in the above time "14:28 minutes 54 seconds" For example, we now split, and enhance the algorithm, in order to facilitate memory, I divided the time into three parts "14, 28, 54", and the number "365" as an additional password, the formula is as follows: "14+3, 28+6, 54+5", That is, the final dynamic password is actually "173459". If you want more security, we can set up on the basis of continuous changes, such as the introduction of "+-*÷", additional password can also be arbitrary their own easy to remember the number, such as birthdays, ID number, etc., "Time + additional code" through a specific algorithm at random combination.

OK, it's done! Such a password in addition to the creator himself, who can not think of how to get, and every second is changing, the most critical is, for programmers, only a short span of 10 minutes can be deployed!

If you have questions about this article or if you are having problems with your deployment, you can contact the author (qq:622569).

Article: Cao Jianxiang