We know that if the password is directly hashed, then the hacker can get the password of a certain user by obtaining the hash value and then checking the hash value dictionary (such as MD5 password cracking website).
Adding Salt can solve this problem to a certain extent. The so-called Salt method is to add some "salt". The basic idea is this: when the user provides a password for the first time (usually when registering), the system will automatically sprinkle some "seasoning" into the password and then hash it. When the user logs in, the system sprinkles the same "seasoning" to the code provided by the user, then hash it, and then compares the hash value, and has determined whether the password is correct.
The "salt" here is called the "Salt value", which is randomly generated by the system and only the system knows. In this way, even if two users use the same password, their hash values are different because the salt values generated by the system are different. Even if a hacker can find users with a specific password through his own password and the hash value generated by himself, the probability is too small (the password and salt value must be the same as those used by the hacker).
The following is a PHP example to explain the md5($pass.$salt) encryption function.
<?php
function hash($a) {
$salt=”Random_KUGBJVY”; //Define a salt value, a random string specified by the programmer
$b=$a.$salt; //Connect password with salt
$b=md5($b); //Execute MD5 hash
return $b; //Return hash
}
?>
Call method:$new_password=hash($_POST[password]); //The form submission value is accepted here and encrypted
The following will introduce the process of adding Salt hash in detail. I would like to emphasize one thing before the introduction. As mentioned earlier, when verifying passwords, you should use the "same" condiments when you have the password initially. Therefore, the Salt value must be stored in the database.
When the user registers,
The user enters [Account] and [Password] (and other user information); the system generates [Salt value] for the user; the system connects [Salt value] and [User Password] together; hash the connected values to obtain [Hash value]; and puts [Hash value 1] and [Salt value] into the database respectively.
When the user logs in,
The user enters [Account] and [Password]; the system finds the corresponding [Hash value] and [Salt value] through the user name; the system connects [Salt value] and [Password entered by the user] together; hash the connected value to obtain [Hash value 2] (note that it is the value calculated instantly); compare whether [Hash value 1] and [Hash value 2] are equal, and equal means that the password is correct, otherwise it means that the password is wrong.
Sometimes, to relieve development pressure, programmers will use a salt value (storage somewhere) uniformly, instead of each user generating a private salt value.