How to store user passwords securely

1: Basic knowledge: Hashing with Salt

We already know how easy it is for malicious attackers to use lookup tables and rainbow tables to crack ordinary hash encryption. quick. We have also

learned that using randomly salted hashes can solve this problem. But what kind of salt do we use, and how do we

mix it into a password?

The salt value should be generated using a cryptographically secure pseudo-random number generator (Cryptographically Secure Pseudo-Random

Number Generator, CSPRNG). CSPRNG is very different from ordinary pseudo-random number generators, such as the rand() function of the "C" language. As the name suggests, CSPRNG is designed to be cryptographically secure, meaning it provides highly random, completely unpredictable random numbers. We don't want the salt value to be predictable, so CSPRNG must be used.

The following table lists some CSPRNG methods of current mainstream programming platforms.

PlatformCSPRNGPHPmcrypt_create_iv, openssl_random_pseudo_bytesjava.security.SecureRandom##Dot NET (C#, VB) System.Security.Cryptography.RNGCryptoServiceProviderRubySecureRandomPythonos.urandomPerlMath::Random::SecureC/C++ (Windows API) CryptGenRandomAny language on GNU/Linux or UnixRead from /dev/random or /dev/urandomNever reuse a salt value. The salt value should also be long enough so that there is enough salt value to be used for hash encryption. A rule of thumb is that the salt value should be at least as long as the output of the hash function. This salt should be stored in the user accounts table along with the password hash.

	Java
	A unique salt value must be used for each password of each user. Each time a user creates an account or changes their password, the password should have a new random salt value.

Steps to store passwords:

Use CSPRNG to generate a random salt value long enough.

Mix the salt into the password and encrypt it using a standard password hashing function, such as Argon2, bcrypt, scrypt, or PBKDF2.

1. Store the salt value and the corresponding hash value together in the user database.
3. Steps to verify password:

Retrieve the user’s salt value from the database and the corresponding hash value.

Mix the salt value into the password entered by the user and encrypt it using a common hash function.

1. Compare the result of the previous step to see if it is the same as the hash value stored in the database. If they are the same, the password is correct; otherwise, the password is wrong.

The above is the detailed content of How to store user passwords securely. For more information, please follow other related articles on the PHP Chinese website!