Password Storage
Alex Parrill via Digitalmars-d-learn
digitalmars-d-learn at puremagic.com
Thu Nov 26 16:42:07 PST 2015
On Friday, 27 November 2015 at 00:17:34 UTC, brian wrote:
> I'm starting to build a small web-based application where I
> would like to authenticate users, and hence need to store
> passwords.
>
> After reading this:
> http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/
> and many other posts that I zombie-surfed to from that page,
> I'm now fearful of doing this badly. :(
>
> My reading of that post was that I should be storing things as:
>
> hash = md5('salty-' + password)
>
> So when a user tries to authenticate, I need to:
> 1) validate the user id
> 2) find the unique "salt" I generated for that user when they
> registered
> 3) pre- or post-pend the salt to the password entered
> (apparently there is a difference??)
> 4) md5 the lot
> 5) check this md5(salt+password) against what I have stored.
>
> So for each user, I need to store in my database:
> UserName/UserID
> Salt
> Hashed_Password
>
> Can the developers in the room confirm if this is the correct
> approach?
> Are there examples of betters ways of doing this?
>
> Regards
> Brian
Do not use MD5 or SHA for hashing passwords. Use PBKDF2, bcrypt,
or maybe scrypt. There should be C libraries available for those
algorithms; use them.
More info:
http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846
More information about the Digitalmars-d-learn
mailing list