java - 用户登录，密码 md5 加密 问题

Question

小弟需要写一个用户登录的模块，现在已经完成了...但是由于密码是明文存在数据库的，

现在需要改为md5 加密，然后登录，希望给为前辈给点指导，最好是有源码的，谢谢。
（关于为什么用md5，之前也了解过一点，登录加密的用这最好。如果你们有更好的加密方式，也欢迎提出来）。

Answer 1

$salt = sha1(uniqid(mt_rand(), true));
$pwd_db = sha1($salt.sha1($pwd_user));

$salt is a random salt value generated when the user registers.
$pwd_db is the salted password hash saved in the database.
$salt and $pwd_db are both stored in the user table.
where :
uniqid gets a unique number with prefix (mt_rand), entropy (true) at the end, based on the number of microseconds in the current time.
mt_rand is used to generate better random numbers.
Characters generated by sha1 The length of the string is 40 bits, and the field type can be set to char(40).

Answer 2

1. Add salt
   Nowadays, mainstream user password encryption requires adding salt, because the md5 rainbow table already includes the vast majority of "weak passwords" with less than 11 digits.
   And it can be easily With the data leakage of many large websites. The risk of md5 being exploded is even greater. In fact, the hash of md5 can be used to find a person's frequently used websites.

Pseudocode:

md5(password + salt)

Answer 3

Are there no md5 related packages in Java? Anyway, PHP can do it with just one function md5()^﹏^

Answer 4

There is no problem with using md5, and it is also a commonly used solution in the industry.
One thing to note is that before encrypting the password with md5, it is best to add salt, otherwise the security of the weak password will be extremely poor.

Answer 5

Look at the secure login authentication of web applications. Although it is C#, Java is similar.

Answer 6

The poster only said that plain text should not be stored in the database. Isn’t it enough to just call the encryption method and save it when the network data is stored?
Encryption methods are available at both the front and back ends.

Answer 7

As savokiss said md5(md5(password)+salt) is already a better solution.
For higher security, you can consider Bcrypt or the like.
It is best not to just repeat the string of salt, use id, username, timestamp, etc. are all good.

Answer 8

Add salt~ Add salt~ Add salt~ Say important things three times.

Answer 9

Used in dz:

md5(md5(password)+salt)

Salt is salt. It can be the same globally or unique for each user. It is a field in the database

MD5 is not reversible, but it can be exhaustive by dictionary, so it is very easy to exhaustively crack single-layer md5. However, if you add salt, you only know your encrypted password and don’t know the salt. It’s useless

For other encryption methods, you can check out the website that cracks md5. I won’t mention the website name