StandardPasswordEncoder encoder = new StandardPasswordEncoder("secret");
String result = encoder.encode("myPassword");
assertTrue(encoder.matches("myPassword", result));
This is all clear, but in database I just store a single VARCHAR password field storing hashed value concatenated by salt?开发者_如何学编程 Is it that simple?
In the Database you should store the return value of endocer.encode.
just store a single VARCHAR password field storing hashed value concatenated by salt?
That is wrong (or may only not correct written), correct is:
- In the first step the Salt is added to the password,
- In the second step the hash is calculated (from the salted password)
hash(password+salt)
But NOT the other way around hash(password)+salt!
People say not to store passwords as plain text , but hashed passwords are still plain abracadabra text
The people mean that you should not store the password as it is (plain) but of course you can store the hash in a text representation. -- The problem that the people talk about is, that if anybody has access to the database he should not bean able to read the passwords to use them. If you think that storing passwords as hash (for example md5) is not secure enough, because of well known md5--cleartext tables, then one add a salt before, and hope that password+salt is not in that tables.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论