Store password separately from username

Question

I have recently done an overview of my site security following the recent news articles around the high profile websites being hacked eg. LinkedIn

So my question is:

How is it possible to store a user’s password completely separate from their username and other information? This way a hacker could only potentially get a password and not the corresponding username.

Edit: I forgot to say that I'm already storing the passwords as a hash (and salting it).

Answer 1

No matter how you do it, there still needs to be a way for the authentication mechanism to tie the username/password together, so what you're seeking to do is futile.

Rather than going that route, you should be storing your passwords as Hash value that can't be decrypted, which is the accepted best practice.

http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-database

Answer 2

I think the best way to add a security, is the same as Google Account use. When you login with the right password (encoded in the database using any algorythm you want, however I suggest Bcrpyt) you will receive a secret code on your phone. You can do it using email. It's becoming complicated, you could also add salt and stuff to get the thing harder to hack.

Remember, if you can create it, you can reverse it. Always. It's just a matter of how, time, sometime money and will.

For your question, no. You always need to tie the username (ie: the account) to the password. I guess you could store this in two database on two servers and use multiple server with salt and hash, but the correct and accepted way is simply to encode using an algorythm like I said and compare.