When a user registers I take their password and secure it using hash and salt, which is then stored to mysql DB. So when a registered user tries to login how do I check if the password is valid?
The only method I can think of is to get their password, hash+salt it, then check if the hash+salt is in DB. I am not sure how this is secure though? Because this would mean my code will hash+salt any password and find a match in DB.
I read about generating random salt every time login page is hit but doesn't this mean if a registered user tries to login a new hash will be generated which will be different then the hash which was generated when the same user registered.
I would appreciate if anyone can shed light on this. I am using Java.
basically you have to store h(password+salt) and salt in the database. If some user tries to log in, you'll get his plain-text password. Then you get the salt of the user from you database, generate the hash of the password+salt, and if its the same as the stored hash, the authentication was successful.
This is more secure than a basic hashed password, because it makes mass-bruteforcing from the hash a bit harder, because the attacker has to guess both the salt and the actual password. However, this does not make bruteforcing a single password harder, if the salts are public (or known to the attacker). It also makes rainbow-tables useless, which are massive lists of pregenerated hashes for common passwords
To get a deeper explanation, look here or here
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With