Reputation: 107
Hashing function encryption - how does database know whether password is correct?
I'm having troubles understanding hashing function used in passwords encryption. Let's say user signs up to a website, password goes through the hash function and a digest lands in a database. So, the actual password isn't stored in a database. Now, when the user wants to log in, he types in the password. How the database know that the password is correct? Does password typed during the login goes through the hash function again? But we'll have two different digests, so how does it proceed?
Upvotes: 1
Views: 48
Answers (1)
Reputation: 112857
To elaborate on @ArtjomB.
It is usual to save the salt and iteration count with the hashed password, sometimes concatenated in front of the hash with separator characters.
Then the same salt and iteration count can be applied to the password attempt to produce a matching hash.
Note: Neither the salt nor iteration count need to be secret.
One of the better functions to use is PBKDF2 (Password Based Key Derivation Function 2) instead of a primitive hash function such as SHA256 or HMAC with SHA256. MD5 and SHA1 functions should not be used.
Upvotes: 2
Related Questions
- Secure hash and salt for PHP passwords
- Best Practices: Salting & peppering passwords?
- The necessity of hiding the salt for a hash
- Why is my password hashing function producing different hashes with the same salt?
- Cleansing User Passwords
- Why isn't salt required to compare whether password is correct in bcrypt?
- Back end password encryption vs hashing
- How does every system or server get a different hash function to store passwords