Re: Password Storage

Thu, 26 Nov 2015 19:11:35 -0800 

On Friday, 27 November 2015 at 02:05:49 UTC, H. S. Teoh wrote:
...
At no time is the password ever sent over the network, encrypted or not. 

--T

So, I understand what you are trying to say, but I'm stuck on the 
specifics of implementation, if you'll bear with me.



For authentication, the password shouldn't even be sent over 
the wire. Instead, the server (which knows the correct 
password) should send a challenge to the client



So my app is web based, so I don't really have a "client-server" 
model you are suggesting.
I'm building it using Vibe.d with a mongodb backend, so hopefully 
the "client" will be a web-browser (or in future iterations, a 
mobile device - let's ignore that for now).



random number produced by a good RNG -- which is different each 
time the user authenticates)

I'm not sure why I need this, so I'm going to break down and 
example.


Bob comes in with password "Password01"

Once he enters "Password01" I want to:
Add a string to it:
"StaticRandomString~Password01"

Then hash it:
hash("StaticRandomString~Password01")

which gives me
"I#$%am%^&Random(*&LOL*&"


Then to verify Bob is Bob I need to verify 
"I#$%am%^&Random(*&LOL*&" against something in the database?

So in my DB I need to store :
"I#$%am%^&Random(*&LOL*&"


If *this* is the scenario, then the "StaticRandomString" needs to 
be the same all the time, so I need to store that in the DB too, 
no?

So now my DB contains:
"StaticRandomString"
"I#$%am%^&Random(*&LOL*&"


Your solution was to random generate the random string at 
verification time.

If I do that I have:
"RunTimeRandomString~Password01"

Then hash that to get
"I#$%Too$%456^(am(*$&Random(*&LOL*&"

However I can't store that in the DB, because the
"RunTimeRandomString"


which will produce a different hashed value. Sooo, I need to 
change this scenario to:
Get the Password from the client/user and hash it. Then add on 
the randomness:

"RunTimeRandomString~hashed(clientEntered-Password01)"

Get that answer back.

Get the password from the server/database and hash it. Add on the 
same randomness.

"RunTimeRandomString~hashed(actualPassword-Password01)"

Thus in my db I only need to stored
hashed(Password01)

Compare results.
...
Profit.

Am I correct in these descriptions?
Which is better?


I know this is pedantic and not very language specific, but this 
is the crux of what I want to know.
Doing it is easy. The "making sure I'm doing it right" bit is 
hard...





















					Reply via email to