Password Storage
brian via Digitalmars-d-learn
digitalmars-d-learn at puremagic.com
Thu Nov 26 19:09:38 PST 2015
On Friday, 27 November 2015 at 02:05:49 UTC, H. S. Teoh wrote:
...
> At no time is the password ever sent over the network,
> encrypted or not.
>
> --T
So, I understand what you are trying to say, but I'm stuck on the
specifics of implementation, if you'll bear with me.
> For authentication, the password shouldn't even be sent over
> the wire. Instead, the server (which knows the correct
> password) should send a challenge to the client
So my app is web based, so I don't really have a "client-server"
model you are suggesting.
I'm building it using Vibe.d with a mongodb backend, so hopefully
the "client" will be a web-browser (or in future iterations, a
mobile device - let's ignore that for now).
> random number produced by a good RNG -- which is different each
> time the user authenticates)
I'm not sure why I need this, so I'm going to break down and
example.
Bob comes in with password "Password01"
Once he enters "Password01" I want to:
Add a string to it:
"StaticRandomString~Password01"
Then hash it:
hash("StaticRandomString~Password01")
which gives me
"I#$%am%^&Random(*&LOL*&"
Then to verify Bob is Bob I need to verify
"I#$%am%^&Random(*&LOL*&" against something in the database?
So in my DB I need to store :
"I#$%am%^&Random(*&LOL*&"
If *this* is the scenario, then the "StaticRandomString" needs to
be the same all the time, so I need to store that in the DB too,
no?
So now my DB contains:
"StaticRandomString"
"I#$%am%^&Random(*&LOL*&"
Your solution was to random generate the random string at
verification time.
If I do that I have:
"RunTimeRandomString~Password01"
Then hash that to get
"I#$%Too$%456^(am(*$&Random(*&LOL*&"
However I can't store that in the DB, because the
"RunTimeRandomString"
which will produce a different hashed value. Sooo, I need to
change this scenario to:
Get the Password from the client/user and hash it. Then add on
the randomness:
"RunTimeRandomString~hashed(clientEntered-Password01)"
Get that answer back.
Get the password from the server/database and hash it. Add on the
same randomness.
"RunTimeRandomString~hashed(actualPassword-Password01)"
Thus in my db I only need to stored
hashed(Password01)
Compare results.
...
Profit.
Am I correct in these descriptions?
Which is better?
I know this is pedantic and not very language specific, but this
is the crux of what I want to know.
Doing it is easy. The "making sure I'm doing it right" bit is
hard...
More information about the Digitalmars-d-learn
mailing list