In-depth analysis of the password plus salt principle_PHP tutorial

We know that if the password is hashed directly, a hacker can obtain the password hash value and then obtain a user's password by looking up the hash value dictionary (such as MD5 password cracking website).

Adding Salt can solve this problem to a certain extent. The so-called adding Salt method is to add some "seasoning". The basic idea is this: when a user provides a password for the first time (usually when registering), the system automatically sprinkles some "spice" into the password and then hashes it. When the user logs in, the system sprinkles the code provided by the user with the same "spice", then hashes it, and then compares the hash values ​​to determine whether the password is correct.

The "sauce" here is called "Salt value". This value is randomly generated by the system and only the system knows it. In this way, even if two users use the same password, their hash values ​​will be different because the salt values ​​generated by the system are different for them. Even if a hacker can find users with specific passwords through their own passwords and self-generated hash values, the chance is too small (the password and salt value must be the same as those used by the hacker).

The following uses PHP as an example to explain the md5 ($pass.$salt) encryption function.

Copy code The code is as follows:

function hash($a) {
$salt="Random_KUGBJVY"; //Define a salt value, a random string specified by the programmer
$b=$a.$salt; //Connect the password to salt
$b=md5 ($b); //Execute MD5 hash
return $b; //Return hash
}
?>

Calling method ：$new_password=hash($_POST[password]); //Here the form submission value is accepted and encrypted

The following is a detailed introduction to the process of adding Salt hash. Let me emphasize one point before introducing it. As mentioned earlier, the "same" sauce used when verifying the password is used when hashing the password in the first place. Therefore, the Salt value must be stored in the database.

When a user registers,

the user enters [Account] and [Password] (and other user information); the system generates a [Salt value] for the user; the system combines the [Salt value] and [User Password] are connected together; the connected values ​​are hashed to obtain [Hash value]; [Hash value 1] and [Salt value] are placed in the database respectively.
When the user logs in,

The user enters [account] and [password]; the system finds the corresponding [Hash value] and [Salt value] through the user name; the system combines the [Salt value] and [Salt value] [Password entered by the user] are concatenated together; the concatenated value is hashed to obtain [Hash value 2] (note that it is a value calculated immediately); compare [Hash value 1] and [Hash value 2] to see if they are equal and equal. It means the password is correct, otherwise it means the password is wrong.
Sometimes, in order to reduce development pressure, programmers will use a unified salt value (stored somewhere) instead of generating a private salt value for each user.

http://www.bkjia.com/PHPjc/327416.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/327416.htmlTechArticleWe know that if the password is hashed directly, a hacker can obtain the password hash value and then By looking up the hash value dictionary (such as the MD5 password cracking website), you get a certain...