On Friday, 27 November 2015 at 00:17:34 UTC, brian wrote:
3) pre- or post-pend the salt to the password entered
(apparently there is a difference??)
Sorry to revive an old thread, but I wrote a blog post about this
question:
https://theartofmachinery.com/2016/01/03/What%20Difference%20Can%20Ord
On Fri, 27 Nov 2015 08:09:49 -0800, H. S. Teoh via Digitalmars-d-learn
wrote:
> On Fri, Nov 27, 2015 at 02:51:30PM +, Adam D. Ruppe via
> Digitalmars-d-learn wrote:
>> On Friday, 27 November 2015 at 07:46:33 UTC, H. S. Teoh wrote:
>> >1) The server stores password01 in the user database.
>>
>
On Friday, 27 November 2015 at 16:14:06 UTC, H. S. Teoh wrote:
True, so you'd store hash(password01) in the database, and
compute
hash(X + hash(password)) during authentication.
T
Another option is SCRAM:
https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism
On Fri, Nov 27, 2015 at 02:51:30PM +, Adam D. Ruppe via Digitalmars-d-learn
wrote:
> On Friday, 27 November 2015 at 07:46:33 UTC, H. S. Teoh wrote:
> >1) The server stores password01 in the user database.
>
> I still wouldn't actually store this, hash it anyway and use that as
> the new "pass
On Friday, 27 November 2015 at 07:46:33 UTC, H. S. Teoh wrote:
1) The server stores password01 in the user database.
I still wouldn't actually store this, hash it anyway and use that
as the new "password".
On Friday, 27 November 2015 at 00:17:34 UTC, brian wrote:
[snip]
Can the developers in the room confirm if this is the correct
approach?
Are there examples of betters ways of doing this?
Regards
Brian
Botan has well thought out password hashing:
https://github.com/etcimon/botan/wiki/Passwo
On Fri, Nov 27, 2015 at 03:09:38AM +, brian via Digitalmars-d-learn wrote:
> On Friday, 27 November 2015 at 02:05:49 UTC, H. S. Teoh wrote:
> ...
> >At no time is the password ever sent over the network, encrypted or not.
> >
> >--T
> So, I understand what you are trying to say, but I'm stuck o
On Friday, 27 November 2015 at 02:05:49 UTC, H. S. Teoh wrote:
For authentication, the password shouldn't even be sent over
the wire. Instead, the server (which knows the correct
password) should send a challenge to the client
Most web setups can't rely on that tho cuz of the lameness of
clie
On Friday, 27 November 2015 at 02:05:49 UTC, H. S. Teoh wrote:
For authentication, the password shouldn't even be sent over
the wire. Instead, the server (which knows the correct
password) should send a challenge to the client (i.e., a large
random number produced by a good RNG -- which is diff
On Friday, 27 November 2015 at 02:05:49 UTC, H. S. Teoh wrote:
...
At no time is the password ever sent over the network,
encrypted or not.
--T
So, I understand what you are trying to say, but I'm stuck on the
specifics of implementation, if you'll bear with me.
For authentication, the passw
On Fri, Nov 27, 2015 at 12:17:32AM +, brian via Digitalmars-d-learn wrote:
> I'm starting to build a small web-based application where I would like
> to authenticate users, and hence need to store passwords.
>
> After reading this:
> http://blog.codinghorror.com/youre-probably-storing-password
On Friday, 27 November 2015 at 00:50:25 UTC, brian wrote:
Thanks for the blatant faux pas.
I wasn't going to use MD5, I just meant "hash it somehow",
which was not apparent from my question. My bad.
Algorithm aside, the rest of that approach seems sensible then?
The hash implementation was p
On Friday, 27 November 2015 at 00:42:09 UTC, Alex Parrill wrote:
On Friday, 27 November 2015 at 00:17:34 UTC, brian wrote:
I'm starting to build a small web-based application where I
would like to authenticate users, and hence need to store
passwords.
After reading this:
http://blog.codinghor
On Friday, 27 November 2015 at 00:17:34 UTC, brian wrote:
I'm starting to build a small web-based application where I
would like to authenticate users, and hence need to store
passwords.
After reading this:
http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/
and many oth
14 matches
Mail list logo
