How does Secure User authentication work?

Question

When a user registers I take their password and secure it using hash and salt, which is then stored to mysql DB. So when a registered user tries to login how do I check if the password is valid?

The only method I can think of is to get their password, hash+salt it, then check if the hash+salt is in DB. I am not sure how this is secure though? Because this would mean my code will hash+salt any password and find a match in DB.

I read about generating random salt every time login page is hit but doesn't this mean if a registered user tries to login a new hash will be generated which will be different then the hash which was generated when the same user registered.

I would appreciate if anyone can shed light on this. I am using Java.

Answer 1

In my case I store the hashed (salt+password) and the salt on the DB, when user provides the login and password, I get the salt, add to the provided password, then hash and compare to the stored hashed password from the DB. If equal/correct I regenerate a new salt and store then add the new salt to the correct password, then hash and store.

Answer 2

basically you have to store h(password+salt) and salt in the database. If some user tries to log in, you'll get his plain-text password. Then you get the salt of the user from you database, generate the hash of the password+salt, and if its the same as the stored hash, the authentication was successful.

This is more secure than a basic hashed password, because it makes mass-bruteforcing from the hash a bit harder, because the attacker has to guess both the salt and the actual password. However, this does not make bruteforcing a single password harder, if the salts are public (or known to the attacker). It also makes rainbow-tables useless, which are massive lists of pregenerated hashes for common passwords

To get a deeper explanation, look here or here