When I used to write my own website to play, I really didn’t think about security at all. Although I also used md5 symbolically, and then I logged in, I also took out this md5 value and the entered password for md5 comparison. There is no big problem with this method, except Say md5 may have conflicts and things like that. However, at that time, there was one of the most serious problems, that is, the plaintext of the password was also stored. Although this plaintext would never be used by the user, the user login was also compared with the password after md5. I am also very clear that the plaintext should not be stored, but it doesn't matter if I think about saving it, and I don't waste any space. I am just amusing myself.
Some time ago, I received an interview call from a company. The interviewer asked me how the user password was stored in the past. I said that the original password was hashed with a salt value. will be sprayed. However, the interviewer then asked, if the system intends to detect weak passwords, that is, to detect some common passwords, and remind users to change their passwords, I thought, this is not clear text, how to detect, when my head twitched, I said If you save the plaintext, you can detect it, and instantly feel that you are not arrogant. As a result, I was definitely sprayed and despised, and then asked me what would be the consequences of having a plaintext password in my data store? I talked a lot about the consequences of Barabara, but it didn't work. Thinking about the problem at that time recently, it can still be done. 1. The system will mark the strength of the password when the user registers. If the user already has it and has not marked it before, there is another method; 2. Create a weak password table , Take out the salt value in the user's information and the data in the weak password table together with the hash algorithm for the password during registration, and then compare it with the user's password. If it is equal, the weak password is not detected.