Reputation: 4303
How should I store passwords?
I have a system that needs logins, but who i'm building it for is requiring the transmission of the passwords during login to be very secure (even using SSL). So i'm using a variant of the Digest access authentication to transmit login requests. The only problem i'm having now is how to store the passwords on the database (in a secure salted hash preferably) so they can be used with the digest request, and the password at no point is in an nonhashed format, except on the clients browser for a few seconds.
So, in a nutshell, how can I store passwords securely but allow for a digest (with a different and ever changing nonce to the database's salt) to authenticate?
Upvotes: 0
Views: 175
Answers (2)
Reputation: 10556
You may want to take a look at the source code of this Perl module; it manages *nix accounts.
Upvotes: 0
Reputation: 272687
As I understand it, this mechanism sends something like:
hash(nonce + hash(password + salt))
So on the server, you just need to store hash(password + salt) and salt.
Upvotes: 1
Related Questions
- How can I store my users' passwords safely?
- How to store passwords *correctly*?
- Storing passwords safely in a database
- Safe storing/creating passwords
- how to safely store the password salt
- How would I store passwords for a Password Manager?
- Security: How should I store ("Remember") a user's username and password for future use?
- Is there any officially recommended way to store passwords?
- Saving login password
- Password handling best practices?