On Friday, 27 November 2015 at 00:42:09 UTC, Alex Parrill wrote:
On Friday, 27 November 2015 at 00:17:34 UTC, brian wrote:
I'm starting to build a small web-based application where I
would like to authenticate users, and hence need to store
passwords.
After reading this:
http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/
and many other posts that I zombie-surfed to from that page,
I'm now fearful of doing this badly. :(
My reading of that post was that I should be storing things as:
hash = md5('salty-' + password)
So when a user tries to authenticate, I need to:
1) validate the user id
2) find the unique "salt" I generated for that user when they
registered
3) pre- or post-pend the salt to the password entered
(apparently there is a difference??)
4) md5 the lot
5) check this md5(salt+password) against what I have stored.
So for each user, I need to store in my database:
UserName/UserID
Salt
Hashed_Password
Can the developers in the room confirm if this is the correct
approach?
Are there examples of betters ways of doing this?
Regards
Brian
Do not use MD5 or SHA for hashing passwords. Use PBKDF2,
bcrypt, or maybe scrypt. There should be C libraries available
for those algorithms; use them.
More info:
http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846
Thanks for the blatant faux pas.
I wasn't going to use MD5, I just meant "hash it somehow", which
was not apparent from my question. My bad.
Algorithm aside, the rest of that approach seems sensible then?
The hash implementation was probably going to be a part 2 of this
question.
I'd use dcrypt (https://github.com/puzzlehawk/dcrypt) to keep all
the d-goodness, but according to the author, that's not
"production ready" yet.
In lieu of that, I'll have a gander at those libraries you
mentioned.
