On Friday, 27 November 2015 at 00:17:34 UTC, brian wrote:
I'm starting to build a small web-based application where I
would like to authenticate users, and hence need to store
passwords.
After reading this:
http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/
and many other posts that I zombie-surfed to from that page,
I'm now fearful of doing this badly. :(
My reading of that post was that I should be storing things as:
hash = md5('salty-' + password)
So when a user tries to authenticate, I need to:
1) validate the user id
2) find the unique "salt" I generated for that user when they
registered
3) pre- or post-pend the salt to the password entered
(apparently there is a difference??)
4) md5 the lot
5) check this md5(salt+password) against what I have stored.
So for each user, I need to store in my database:
UserName/UserID
Salt
Hashed_Password
Can the developers in the room confirm if this is the correct
approach?
Are there examples of betters ways of doing this?
Regards
Brian
Do not use MD5 or SHA for hashing passwords. Use PBKDF2, bcrypt,
or maybe scrypt. There should be C libraries available for those
algorithms; use them.
More info:
http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846
