Password MD5 plus salt encryption----registration, verification, modification module

Idea:
    Simple MD5 encryption is easy to be cracked by collision. Consider adding a random string (salt) to the password, and then perform MD5 encryption together to improve security.
At this time, the salt is equivalent to the other half of the secret key, and the salt needs to be stored in the database for verification.

Implementation process:
    1. Write MD5 tool class
    2. Password module when adding a new user
    3. Login verification password module
    4. Modify password module for modifying user information

1. Write MD5 tool class

public class MD5Util {
    
    
	//生成6位随机字符串的盐，由数字、大小写字母组成
	public static String getSaltString(){
    
    
		String str="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
		Random random=new Random();
		StringBuffer sb = new StringBuffer();
		for(int i=0;i<6;i++){
    
    
			int num=random.nextInt(str.length());
			sb.append(str.charAt(num));
		}
		return sb.toString();
	}
	
	//把密码 + 盐 ，一同经过MD5加密
	public static String toMD5String(String str,String salt){
    
    
		try{
    
    
			return Hex.encodeHexString(DigestUtils.md5(str+salt));
		}catch(Exception e){
    
    
			return null;
		}
	}
}

2. Password module when adding a new user

//******
//获取随机盐
String salt=MD5Util.getSaltString();
//密码、盐一起加密，将加盐加密的密码存入库
user.setPassword(MD5Util.toMD5String(user.getPassword(),salt));
//盐一起存入库
user.setSalt(salt);
userService.insertUsers(user);

3. Login verification password

//******
//username:前端传来的用户名
//password:前端传来的待校验明文密码
//user:库用户信息
User user = userService.getUsersByName(userName).get(0);		
//将明文与盐加密后，与库里的密文相比较，相同则密码正确
if(user.getPassword().equals(MD5Util.toMD5String(password,user.getSalt()))){
    
    
	session.setAttribute("user", user);
	return "toIndex.do";	
}else{
    
    
	return "密码不正确！";
}

4. Modification password module for modifying user information

//user:前端传来的待修改的用户对象
//oldUser：数据库里对应的用户对象
//isPswUnchanged：前端传来的参数，用户是否修改密码,没修改true，修改false
//（就是为了判断用户密码是否被修改，也可以在后端判断）
User oldUser=(User)userMapper.selectByPrimaryKey(user.getUserId());
//待校验的密文串 = 用户输入的明文密码串+盐 ，再MD5加密
String password=MD5Util.toMD5String(user.getPassword,oldUser.getSalt);
//修改了密码
if(!isPswUnchanged&&!oldUser.getPassword().equals(password)){
    
    
	String salt=MD5Util.getSaltString();
	user.setPassword(MD5Util.toMD5String(user.getPassword(),salt));						   
	user.setSalt(salt);
}else{
    
    
	//未修改密码
	user.setPassword(oldUser.getPassword());
	user.setSalt(oldUser.getSalt());
}
userService.updateUser(user);

    So far, the addition, verification, and modification of several modules of MD5 salt encryption are over.

    Here I insert my thoughts on the administrator's modification of the user information module:
    Requirements: The administrator obtains a list of all users, and implements addition, deletion, and modification operations on users, including password modification operations.

    Then when the backend returns the list of all users, it should be careful not to pass sensitive information such as passwords and salts to the frontend.