为防止密码泄露与轻易被暴力破解,采用hash等方式已经不再安全,可以采用如彩虹桥类似方式进行破解,
推荐采用加盐的方式对密码进行加密机存储
package test;
import java.security.MessageDigest;
import java.util.UUID;
/**
* 加密
*
* @author xiaochangwei
*
*/
public class PasswordEncryptor {
private final static String[] hexDigits = { "0", "1", "2", "3", "4", "5",
"6", "!", "#", "@", "a", "b", "c", "d", "*", "f", "g", "F" };
private Object salt;
private String algorithm;
public PasswordEncryptor(Object salt, String algorithm) {
this.salt = salt;
this.algorithm = algorithm;
}
public String encode(String rawPass) {
String result = null;
try {
MessageDigest md = MessageDigest.getInstance(algorithm);
// 加密后的字符串
result = byteArrayToHexString(md.digest(mergePasswordAndSalt(
rawPass).getBytes("utf-8")));
} catch (Exception ex) {
}
return result;
}
public boolean isPasswordValid(String encPass, String rawPass) {
String pass1 = "" + encPass;
String pass2 = encode(rawPass);
return pass1.equals(pass2);
}
private String mergePasswordAndSalt(String password) {
if (password == null) {
password = "";
}
if ((salt == null) || "".equals(salt)) {
return password;
} else {
return password + "{" + salt.toString() + "}";
}
}
/**
* 转换字节数组为16进制字串
*
* @param b
* 字节数组
* @return 16进制字串
*/
private static String byteArrayToHexString(byte[] b) {
StringBuffer resultSb = new StringBuffer();
for (int i = 0; i < b.length; i++) {
resultSb.append(byteToHexString(b[i]));
}
return resultSb.toString();
}
private static String byteToHexString(byte b) {
int n = b;
if (n < 0)
n = 256 + n;
int d1 = n / hexDigits.length;
int d2 = n % hexDigits.length;
return hexDigits[d1] + hexDigits[d2];
}
public static void main(String[] args) {
String salt = UUID.randomUUID().toString();
PasswordEncryptor encoderMd5 = new PasswordEncryptor(salt, "sha-256");
String encodedPassword = encoderMd5.encode("xiaochangwei's password");
System.out.println("加密后密码:" + encodedPassword + "\n密码长度:" + encodedPassword.length());
System.out.println("salt:" + salt);
}
}
运行结果如下:
加密后密码:3@12@g2a0bdgb16044@fdf5c0*d1!d625abc403*46b1a!c@a6@62F#!42cc662f 密码长度:64 salt:dc853799-fd09-48ed-b5c0-4b323cd39b53
在数据库中存储时,需要将salt和加密后的密码都进行存储。
在进行使用时,根据用户名查询出用户的盐 与输入的密码进行运算, 如果运算结果和数据库中存储的密码一致,则合法
效率上也只需要一次查询,不存在性能问题