Background:
the history of store password in server, starts with plain text, to MD5, SHA-1, SHA-2, to add salt/pepper/multihashing, to bcrypt/Argon2id etc.
Best way so far to encrypt password on server :
use bcrypt(unless have specific reasons not to do it), set reasonable work factor(n, which means do 2^n times hashing), use salt/pepper.
MD5 and SHA-1/2/3 can make the info in any length to a fixed length string based on delicate designed hash function. However, MD5 and SHA-1 are proved they can be hacked.
哈希函数之MD5算法
哈希函数之SHA家族
What is salting?
it’s a unique and random string, which added tp each password when hashing. Each salt is unique to the user.
modern hashing algorithm will automatically add salt on your password, which makes it harder to decode.
密码加密存储技术详解(Password Storage Cheat Sheet)
What is bcrypt?
It’s a single direction hashing algorithm.
four parameters: myPW(plain text string), salt(128 bits random String-22 bytes), saltRound(default: 10, this is like a work factor, but we do (add salt + hash) 10 times.)
This is way better than MD5, because the output length of bcrypt is 60 and the MD is 32.
Bcrypt加密之新认识