所以，因为他们更改密码/登录名/盐值组合为code是无法逆转的哈希值是有用的。客户端发送该散列到服务器。服务器散列比较存储散列的列表，以查看是否在客户端的用户可被允许访问。 但我怎么prevent截获的哈希密码和编写自己的客户端，将此哈希发送到服务器的恶意用户？

So, hashes are useful because they change password/login name/salt value combinations to a code that cannot be reversed. The client sends this hash to the server. The server compares the hash to a list of stored hashes to see if the client's user may be granted access. But how do I prevent a malicious user from intercepting the hashed password and writing his own client that sends this hash to the server?

推荐答案

如果有人得到了保持你的数据库的备份，或者被只读访问实时数据库哈希是有用的。他们不能再制定出密码，并将其发送给你的生活系统。这就是为什么你盐的他们，使之与黑客只读访问不能设置自己的密码，然后看看是否其他人有相同的密码。

Hashes are useful if someone gets a hold of a backup of your database or gets read only access to the live db. They can't then work out the password and send it to your live system. This is why you salt them, so that a hacker with read only access can not set his password and then look to see if anyone else has the same password.

正如你所指出的那样，他们不停止请求拦截（人在中间人攻击）停止，你需要使用与数据包加密和签名的安全连接。 HTTPS 和放大器; SSL 是最常见的方法可以做到这一点。

As you have pointed out they don't stop request interception (Man in the middle attacks) to stop that you need to use secure connections with packet encryption and signing. HTTPS & SSL are the most common ways to do this.