Only the md5 password encryption is easy to launch anti other two user passwords are the same, the same password database saved.
The solution is short in the back of the user's password plus a long character, then calculate md5, the original password so it becomes very difficult, and even if two identical user password, the password stored in the database is not the same anti-launched. This plus the length of the character, referred salt (Salt), result of the encryption in this way, is called salt Hash.
Use Example:
Suppose there are two users and admin ABC, passwords are 123456, registration, a salt access username + MD5 value.
The final calculated password is not the same.
package com.example.shiro; import org.apache.shiro.crypto.hash.SimpleHash; import org.apache.shiro.util.ByteSource; public class TestPasswordSalt { public static void main(String[] args) { String pwd1 = md5("123456", "admin8d78869f470951332959580424d4bf4f"); System.out.println(pwd1);
//密码:d3c59d25033dbf980d29554025c23a75 String pwd2 = md5("123456", "abc0c23e95fd137ea96c4ef24366b7e6f1f"); System.out.println(pwd2);
//密码:ae8bb0dd40e4eddeac081f8e31afdaed } public static Final String MD5 (password String, String Salt) { // encryption String hashAlgorithmName = "the MD5" ; // different result using the same password for encryption different salts: salts ByteSource byteSalt = ByteSource.Util.bytes (Salt); // password Object = Source password; // encrypted number int hashIterations = 2 ; SimpleHash Result = new new SimpleHash (hashAlgorithmName, Source, byteSalt, hashIterations); return result.toString (); } }
See the following table field holds the database table, after logging access username + salt for verification.
| username | password | salt |
| admin | d3c59d25033dbf980d29554025c23a75 | 8d78869f470951332959580424d4bf4f |
| abc | ae8bb0dd40e4eddeac081f8e31afdaed | 0c23e95fd137ea96c4ef24366b7e6f1f |