深入密码加salt原理的分析_php技巧
我们知道,如果直接对密码进行散列,那么黑客可以对通过获得这个密码散列值,然后通过查散列值字典(例如MD5密码破解网站),得到某用户的密码。
加Salt可以一定程度上解决这一问题。所谓加Salt方法,就是加点“佐料”。其基本想法是这样的:当用户首次提供密码时(通常是注册时),由系统自动往这个密码里撒一些“佐料”,然后再散列。而当用户登录时,系统为用户提供的代码撒上同样的“佐料”,然后散列,再比较散列值,已确定密码是否正确。
这里的“佐料”被称作“Salt值”,这个值是由系统随机生成的,并且只有系统知道。这样,即便两个用户使用了同一个密码,由于系统为它们生成的salt值不同,他们的散列值也是不同的。即便黑客可以通过自己的密码和自己生成的散列值来找具有特定密码的用户,但这个几率太小了(密码和salt值都得和黑客使用的一样才行)。
下面以PHP示例,讲解md5($pass.$salt)加密函数。
function hash($a) {
$salt=”Random_KUGBJVY”; //定义一个salt值,程序员规定下来的随机字符串
$b=$a.$salt; //把密码和salt连接
$b=md5($b); //执行MD5散列
return $b; //返回散列
}
?>
调用方式:$new_password=hash($_POST[password]); //这里接受表单提交值,并进行加密
下面详细介绍一下加Salt散列的过程。介绍之前先强调一点,前面说过,验证密码时要使用和最初散列密码时使用“相同的”佐料。所以Salt值是要存放在数据库里的。
用户注册时,
用户输入【账号】和【密码】(以及其他用户信息);系统为用户生成【Salt值】;系统将【Salt值】和【用户密码】连接到一起;对连接后的值进行散列,得到【Hash值】;将【Hash值1】和【Salt值】分别放到数据库中。
用户登录时,
用户输入【账号】和【密码】;系统通过用户名找到与之对应的【Hash值】和【Salt值】;系统将【Salt值】和【用户输入的密码】连接到一起;对连接后的值进行散列,得到【Hash值2】(注意是即时运算出来的值);比较【Hash值1】和【Hash值2】是否相等,相等则表示密码正确,否则表示密码错误。
有时候,为了减轻开发压力,程序员会统一使用一个salt值(储存在某个地方),而不是每个用户都生成私有的salt值。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to solve the problem that Windows 11 prompts you to enter the administrator username and password to continue?
Apr 11, 2024 am 09:10 AM
When using Win11 system, sometimes you will encounter a prompt that requires you to enter the administrator username and password. This article will discuss how to deal with this situation. Method 1: 1. Click [Windows Logo], then press [Shift+Restart] to enter safe mode; or enter safe mode this way: click the Start menu and select Settings. Select "Update and Security"; select "Restart Now" in "Recovery"; after restarting and entering the options, select - Troubleshoot - Advanced Options - Startup Settings -&mdash
How to set router WiFi password using mobile phone (using mobile phone as tool)
Apr 24, 2024 pm 06:04 PM
Wireless networks have become an indispensable part of people's lives in today's digital world. Protecting the security of personal wireless networks is particularly important, however. Setting a strong password is key to ensuring that your WiFi network cannot be hacked by others. To ensure your network security, this article will introduce in detail how to use your mobile phone to change the router WiFi password. 1. Open the router management page - Open the router management page in the mobile browser and enter the router's default IP address. 2. Enter the administrator username and password - To gain access, enter the correct administrator username and password in the login page. 3. Navigate to the wireless settings page - find and click to enter the wireless settings page, in the router management page. 4. Find the current Wi
Tutorial on changing wifi password on mobile phone (simple operation)
Apr 26, 2024 pm 06:25 PM
Wireless networks have become an indispensable part of our lives with the rapid development of the Internet. In order to protect personal information and network security, it is very important to change your wifi password regularly, however. To help you better protect your home network security, this article will introduce you to a detailed tutorial on how to use your mobile phone to change your WiFi password. 1. Understand the importance of WiFi passwords. WiFi passwords are the first line of defense to protect personal information and network security. In the Internet age, understanding its importance can better understand why passwords need to be changed regularly. 2. Confirm that the phone is connected to wifi. First, make sure that the phone is connected to the wifi network whose password you want to change before changing the wifi password. 3. Open the phone’s settings menu and enter the phone’s settings menu.
Incorrect password, beware BitLocker warning
Mar 26, 2024 am 09:41 AM
This article will explore how to solve the problem of wrong password, especially the need to be careful when dealing with BitLocker warnings. This warning is triggered when an incorrect password is entered multiple times in BitLocker to unlock the drive. Usually, this warning occurs because the system has a policy that limits incorrect login attempts (usually three login attempts are allowed). In this case, the user will receive an appropriate warning message. The complete warning message is as follows: The password entered is incorrect. Please note that continuously entering incorrect passwords will cause the account to be locked. This is to protect the security of your data. If you need to unlock your account, you will need to use a BitLocker recovery key. The password is incorrect, beware the BitLocker warning you receive when you log in to your computer
How to Remove Windows 10 Lock Screen Password Now
Jan 09, 2024 pm 03:33 PM
After upgrading the win101909 system, some friends may want to cancel their computer lock screen password. If you don’t know what to do, I think we can find the account options in the computer’s settings window. Let’s take a look at the specific methods. How to cancel the lock screen password in win101909: 1. First press Win+I to open the settings interface. 2. Then find the account--login option, and then set it as shown. How to cancel power-on password login in win101909: 1. Execute regedit during running to open the registry and navigate to the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Cu
How to use Passkey for your Microsoft account
Feb 19, 2024 am 11:03 AM
Passkey is a more advanced and secure way to log in and can be used with a Microsoft account. This article will guide you how to use Passkey in your Microsoft account, introduce its advantages and the differences with passwords. Before we get into the details, we emphasize that if you frequently forget your passwords or need to log in quickly, Passkey will generally be better for you. What is Passkey? How are they different from passwords? Passwords are an advanced and secure authentication method that can replace traditional password logins. Each application has a unique key, ensuring security and preventing threats like phishing. Users can confirm their identity via email and password, or use facial recognition, fingerprint or security key
How to Fix 'iPhone Not Available” Message
Sep 17, 2023 pm 09:25 PM
How does the "iPhone is not available" security feature work? The basic mechanism that triggers the "iPhone Not Available" message is rooted in the security features of the system's design, which track every incorrect passcode entry. This protection kicks into high gear from the fifth incorrect attempt to unlock the device. Once this milestone is reached, the iPhone sets a temporary lock period of one minute, during which any additional attempts to enter the passcode become futile. This lock duration is not static but follows an escalating pattern. Specifically, after the fifth password attempt, each subsequent incorrect password attempt will cause the lockout timer to be increased by one minute. For example, the sixth incorrect attempt will result in a 2 minute lockout and the seventh incorrect attempt will result in a 3 minute
How to switch between dual systems and reset password on Huawei mobile phone
Feb 19, 2024 am 09:05 AM
With the continuous advancement of technology, mobile phones have become one of the indispensable tools in our daily lives. As a well-known mobile phone brand, Huawei is deeply loved by consumers. The dual-system function in Huawei mobile phones allows users to easily switch between different operating systems and enjoy different usage experiences. However, what should we do if we forget the dual-system switching password? Next, I will introduce several solutions for you. The first solution is to reset the password through the official service channel of the mobile phone. For Huawei mobile phones, users can
