Password Storage

brian via Digitalmars-d-learn digitalmars-d-learn at puremagic.com
Thu Nov 26 16:17:32 PST 2015


I'm starting to build a small web-based application where I would 
like to authenticate users, and hence need to store passwords.

After reading this:
http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/
and many other posts that I zombie-surfed to from that page, I'm 
now fearful of doing this badly. :(

My reading of that post was that I should be storing things as:

hash = md5('salty-' + password)

So when a user tries to authenticate, I need to:
1) validate the user id
2) find the unique "salt" I generated for that user when they 
registered
3) pre- or post-pend the salt to the password entered (apparently 
there is a difference??)
4) md5 the lot
5) check this md5(salt+password) against what I have stored.

So for each user, I need to store in my database:
UserName/UserID
Salt
Hashed_Password

Can the developers in the room confirm if this is the correct 
approach?
Are there examples of betters ways of doing this?

Regards
Brian


More information about the Digitalmars-d-learn mailing list