Most developers use the database store password. However, those who find user data in the database can also see these passwords. Store the password in a clear manner in the database, it is unsafe. You can use a hash algorithm to encrypt your password and then store it in the database. After the user enters the password, you can use the hash algorithm to decrypt it, and then compare it with the hash stored in the database.
.NET developers can use multiple encryption algorithms, most commonly used, SHA1 and MD5. This article will be described in how to encrypt the password using the MD5 algorithm.
The code is simple:
Using system.security.cryptography;
public string PwdEncrypt (string Pwd) // password encryption {MD5 md5 = new MD5CryptoServiceProvider (); byte [] data = System.Text.Encoding.Default.GetBytes (Pwd); byte [] md5data = md5.ComputeHash (data); Md5.clear (); string str = "";
For (int i = 0; i Return Str;} The encrypted string looks far from the original input. These hash algorithms are very useful for creating a password without any meaning, making it difficult for other people to guess these passwords. Use a hash algorithm to encrypt the original password after encryption. Add some "salt" value in the hash So far, one of the problems exposed by hash algorithm is that if the two users happen to use the same password, the row value will be exactly the same. If the hacker sees the form of the storage password, it will find the rules and understand that it is likely to use a common term, and then the hacker will start the dictionary attack to determine these passwords. To make sure that the hash value of any two user passwords is different, a method is to add a unique value in each user's password before encrypted password. This unique value is called "salt" value. When operating this, it is necessary to ensure that the salt value of the use is stored as part of the user record. If you use a table to store user IDs and passwords, it is recommended to use different forms to store salt values. In this way, even if the database leaks, the salt value can also provide an additional security. There are many ways to add salt values in the user password. The easiest way is to take some information of the user (eg, a name, name, email address, or employee ID) and add it to the user password, and then encrypt. The disadvantage of this method is that because the salt value needs to be stored, if the hacker finds the value, everything you do will have a message. Of course, hackers need to spend additional time to crack the salt value, but this is simply easy to make a hacker. Another method is to create a random numeric string using the .NET Framework class RNGCRYPTOSERVICEPROVIDER. RNG represents a random number generator. This class can create an arbitrary length random byte array. This random byte array can be used as the salt value of the hash algorithm. To use this method, the salt value must be safely stored. For more information on encryption, review Microsoft's "Simplified Encryption in Microsoft .NET". http://www.microsoft.com/china/msdn/archives/library/dnnetsec/html/cryptosimplified.asp#cryptogr_topic3
