There are relatively secure password encryption rules for password leak events?

50 4

For the csdn plaintext store password and, I can't get the slot.

Traditional direct md5(password) is weak, and the password dictionary will be. So you want to provide me with some code encryption rules that are worth using in future development.

My usual method is to use javascript md5 asynchronously to encrypt passwords locally, submit to the server, the server takes a field of the user table ( such as registration.

15 Answers

102 3

In fact, there's a lot of manuals on security issues, or a lot of the help methods are written very well, and don't know that the current programmer has read the text.

For example, php has given the following connection on the md5 manual: http://cn2. Php. net/manual/en/faq. Pass..

I'd like to translate the key points:
1. Md5, sha1, sha256 aren't suitable for encryption of passwords, and the above functions are designed for quick and efficient verification, and are designed to use modern computer technology, which is completely possible to achieve a burst of solutions.

2. Encryption password is best to use the method of more complex algorithms such as crypt, and using the"add salt value ( salt )", the method is a salt method, which is to encrypt the original password by some regular changes.

3. The third point explains what's a salt, and it's explained that after the salt is used, it isn't possible to see the original password immediately.

Later I've noticed that the isn't in use with md5, and my first feel is nothing, because the client 's js code is visible, knowing the rules of encryption.

For the transport layer, it's true for the old and old real real use https

50 0

First, save the user password with clear text, and it's a good practice to do so in case the user is trying to change it.

It should say that pure md5 hash is also very secure, and now hackers are going to be very large from the of each station. So at home, the user 's password is still in a very basic stage, and you can only send it to the hacker.

It's now a popular way to deal with passwords abroad, which is based on md5, plus a random scrambling ( salt ), so that the value of your password hash is random, even. In php, there's a well-known phpass library ( http://www. Openwall. com/phpass/ ), which is currently used by wordpress.

In the study of pure hash, except for the use of hash ( sha ), the algorithm can also be used to use the cipher operator of blowfish. I remember a piece of article, because it uses an operator to do calculations, and you can select an appropriate combination of operators according to the speed of. But the disadvantage of this algorithm is that it's too expensive for cpu.

98 2
120 5
121 4
99 3
81 2
...