I'm starting to build a small web-based application where I would
like to authenticate users, and hence need to store passwords.
After reading this:
http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/
and many other posts that I zombie-surfed to from that page, I'm
now fearful of doing this badly. :(
My reading of that post was that I should be storing things as:
hash = md5('salty-' + password)
So when a user tries to authenticate, I need to:
1) validate the user id
2) find the unique "salt" I generated for that user when they
registered
3) pre- or post-pend the salt to the password entered (apparently
there is a difference??)
4) md5 the lot
5) check this md5(salt+password) against what I have stored.
So for each user, I need to store in my database:
UserName/UserID
Salt
Hashed_Password
Can the developers in the room confirm if this is the correct
approach?
Are there examples of betters ways of doing this?
Regards
Brian
