Reputation: 69
How users are verified when passwords are NOT stored as plain text in the database?
I know it is bad to store password as plain text in DB, because if hackers gain access to the server's DB, all usernames and passwords will be completely exposed? Therefore, original passwords are passed through hash functions, afterward they are stored in DB as series of incomprehensible characters of the same length. That is a good thing for security.
But...how can the server verify if the users enter correct passwords or not? Since the users enter their passwords in their original forms (eg: whoami, ilovecomputer...), but the server store them under "hashed" forms (eg: 234203409803249580980gfdg41cdvd4, jknegnergiuhiuhdni4584234dfgbn4j....). How can the user-entered password and the sever-stored password be matched?
Upvotes: 0
Views: 574
Answers (2)
Reputation: 300
Here is how you authenticate users without storing their password in clear text.
You will need TWO database columns to do this. Column 1 - Password Hash, Column 2 - Salt
Column 2 - Salt is a randomly generated value that your code/system generates for each user and it is random without it ever being exposed to any UI or backend system. (I'll explain the use below)
Column 1 - Will be the HASHED value of the user's password + (concatenate) salt.
You can read more about hashing here Common Hashing Algorithms
How this whole thing works:
Hashing: Hashing is a way to create a UNIQUE value for each string based on an algorithm. The uniqueness varies based on the algorithm but unless you have a gazillion records, you should be fine. Also, the HASH value of each string is unique. Meaning the Hash of a string "test" will always be the same, lets say "123"
Salt: Salt is just a random string that is added to each password. This way the HASH value is calculated as user's PASSWORD + SALT. This ensures that even if multiple users use the same password, their Password Hash (HASH(Password+Salt)) will be unique.
Setting the password
- When the user set's their password, they will provide a password.
- Your code will randomly generate a "salt" value.
- A third variable PasswordAndSalt = password + salt will be created.
- Then a fourth variable hashValue = HASH(PasswordAndSalt) will be generated.
- You would then save the hashValue in Password Hash (column 1) and Salt in Salt (column 2).
Adding SALT is a counter measure so if two users use the same password, the HASH value will still be different.
Validating User When the user enters their username and password, this is how your code will execute.
Check if the username exists.
- If the username exists, get its SALT value.
- Take the password user provided and concatenate the SALT value you got from DB.
- Calculate HASH value for password + SALT
- If the calcualted HASH value matches the SALT value in your DB, authenticate the user.
- Else, tell the user authentication failed.
Upvotes: 0
Reputation: 5636
Let H be a password hashing function. One simple property of these functions is that they a deterministic, i.e. same input outputs the same value.
First time: When users register onto the website, they require the users' password, usually two fields. Now the password is hashed h = H(passwd) and stored in the database for the user.
Later time: User enters the user name and password, then the server gets the h from the database by using the user name. Hashes the currently entered password pwd, too. if H(pwd) = h then entered password is correct. Your server lets the user continue to the system.
The above are the basics of the password system, however, that is not enough. a little gist of the password hashing;
- For password hashing we don't use the cryptographic hashes at least directly. Cryptographic hashes are required to be fast, however, password hashing is required to be slow even controllably slow with adjustable iteration. This helps to systems to fit to desired security.
- We use salt against the rainbow attack; random salt per user will prevent the rainbow attacks. We also use pepper as server salt for domain separations.
- We require memory-hard password hashing to prevent massive GPU/ASIC/FPGA password search. See hashcat for some comparison of password hashings.
- Require threads against parallelization, too.
- We used specially designed password hashing like PBKDF2, Scrypt, Argon2. Argon2 was the winner of the latest password hashing competition. It is advised for everybody to use Argon2id in their new system.
The Final, and most important point is to educate the user about passwords. Firstly, introduce then the dicewire or similar password generation methods, and secondly, introduce them to password managers like 1passwords.
Upvotes: 1
Related Questions
- Flow of validating a user with hashed password?
- What is the process of checking passwords in databases?
- Does user input need to be hashed before being used in password_verify?
- Hashing function encryption - how does database know whether password is correct?
- AdventureWorks2012 DB - how the password validated in sql?
- How to verify password against database?
- How do modern websites check your password without actually storing it?
- How passwords are secured while registering it?
- What have in mind when they say that it need to store password hash in the database?
- Storing passwords in a database when hashing doesn't apply