What are the methods of password encryption?

Password encryption methods include: 1. Save in plain text; 2. Save with symmetric encryption algorithm; 3. One-way HASH algorithms such as MD5 and SHA1; 4. PBKDF2 algorithm; 5. Algorithms such as bcrypt and scrypt.

User password encryption methods

What are the common encryption methods when user passwords are saved to the database? ?The following methods are common ways to save passwords:

1. Save in plain text

For example, if the password set by the user is "123456", "123456" will be saved directly in the database. It is the simplest way to save, but also the most unsafe way. But in fact, many Internet companies may adopt this approach.

2. Symmetric encryption algorithm to save

For example, 3DES, AES and other algorithms. Using this method of encryption can restore the original password through decryption. Of course, the prerequisite is to obtain the password. key. However, since a large amount of user information has been leaked, the key is likely to be leaked as well. Of course, general data and keys can be stored and managed separately, but it is also very complicated to completely protect the keys, so this Not in a good way.

3. One-way HASH algorithms such as MD5 and SHA1

After using these algorithms, the original password cannot be restored through calculation, and the implementation is relatively simple, so many Internet companies use this method to save User passwords used to be a relatively secure method, but with the rise of rainbow table technology, rainbow tables can be created for table lookup and cracking. This method is now very unsafe.

In fact, the company also used this MD5 encryption method before.

4. PBKDF2 algorithm

The principle of this algorithm is roughly equivalent to adding random salt to the HASH algorithm and performing multiple HASH operations. The random salt greatly increases the difficulty of creating a rainbow table. Multiple HASH also greatly increases the difficulty of table creation and cracking.

When using the PBKDF2 algorithm, HASH generally uses sha1 or sha256. The length of the random salt should generally not be less than 8 bytes, and the number of HASH times must be at least 1,000, so that the security is high enough. A password verification process carries out 1000 HASH operations, which may only take 1ms for the server, but for the cracker the calculation cost increases by 1000 times, and at least 8 bytes of random salt increases the difficulty of creating a table by N Order of magnitude, making large-scale password cracking almost impossible. This algorithm is also recommended by the National Institute of Standards and Technology.

5. Algorithms such as bcrypt and scrypt

These two algorithms can also effectively resist rainbow tables. When using these two algorithms, you also need to specify corresponding parameters, making it more difficult to crack.

In cryptography, scrypt (pronounced "ess crypt") is a key derivation function invented by Colin Percival in 2009. It was originally designed to be used in the Tarsnap service he founded. Designed with large-scale attacks on custom hardware in mind, it is intentionally designed to require large amounts of memory.

Scrypt not only takes a long time to calculate, but also takes up a lot of memory, making it extremely difficult to calculate multiple digests in parallel, so it is more difficult to use rainbow tables to carry out brute force attacks. Scrypt is not widely used in production environments and lacks careful scrutiny and extensive library support. However, as long as there are no flaws at the algorithm level, Scrypt should be more secure than PBKDF2 and bcrypt.

Summary

Using PBKDF2, bcrypt, scrypt and other algorithms can effectively resist rainbow table attacks. Even if the data is leaked, the most critical "user password" can still be effectively protected, and hackers cannot mass Crack user passwords to cut off the root cause of credential stuffing and account scanning.

The above is the detailed content of What are the methods of password encryption?. For more information, please follow other related articles on the PHP Chinese website!