Password Storage

[brian via Digitalmars-d-learn]

On Friday, 27 November 2015 at 00:42:09 UTC, Alex Parrill wrote:
> On Friday, 27 November 2015 at 00:17:34 UTC, brian wrote:
>> I'm starting to build a small web-based application where I 
>> would like to authenticate users, and hence need to store 
>> passwords.
>>
>> After reading this:
>> http://blog.codinghorror.com/youre-probably-storing-passwords-incorrectly/
>> and many other posts that I zombie-surfed to from that page, 
>> I'm now fearful of doing this badly. :(
>>
>> My reading of that post was that I should be storing things as:
>>
>> hash = md5('salty-' + password)
>>
>> So when a user tries to authenticate, I need to:
>> 1) validate the user id
>> 2) find the unique "salt" I generated for that user when they 
>> registered
>> 3) pre- or post-pend the salt to the password entered 
>> (apparently there is a difference??)
>> 4) md5 the lot
>> 5) check this md5(salt+password) against what I have stored.
>>
>> So for each user, I need to store in my database:
>> UserName/UserID
>> Salt
>> Hashed_Password
>>
>> Can the developers in the room confirm if this is the correct 
>> approach?
>> Are there examples of betters ways of doing this?
>>
>> Regards
>> Brian
>
> Do not use MD5 or SHA for hashing passwords. Use PBKDF2, 
> bcrypt, or maybe scrypt. There should be C libraries available 
> for those algorithms; use them.
>
> More info: 
> http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846

Thanks for the blatant faux pas.
I wasn't going to use MD5, I just meant "hash it somehow", which 
was not apparent from my question. My bad.

Algorithm aside, the rest of that approach seems sensible then?

The hash implementation was probably going to be a part 2 of this 
question.
I'd use dcrypt (https://github.com/puzzlehawk/dcrypt) to keep all 
the d-goodness, but according to the author, that's not 
"production ready" yet.
In lieu of that, I'll have a gander at those libraries you 
mentioned.