user authentication password check in database

Question

I am working on an application that requires user to authenticate. I am doing this by having a database that has a profile table and has inside the table a username and password. I was going to have the user input their username and password and then compare their given data against the data in the database. And if they were the same, then they are logged in. Is this the correct way to do this?

If this is the correct way to do this, how do i compare the user's given password to the password in the database? The password in the database was encrypted using the PASSWORD function.

Thanks!

Answer 1

You have the basics, yes. It's customary to add a salt to the password and then hash it using a one-way hashing algorithm such as SHA1(), SHA256() etc. Then store the username, the salt and the hashed password+salt in your db. When verifying the the credentials you retrieve the salt based on the username, then use it to hash the provided password, then compare it to the one you have stored. A failed response to the user should not indicate whether the password or the username was wrong. Just that SOMETHING was incorrect.

The salt prevents dictionary attacks. The one-way hash prevents anyone, including you or the user, from ever being able to retrieve the password. You can only reset it.

This is by no means a comprehensive guide. Just some more suggestions to get you closer.

Answer 2

You can use AES_ENCRYPT(), AES_DECRYPT() functions for this. Here the way I propose. In your program you keep a constant global variable which stored the encryption key.

So you can compare the password like this.

SELECT User_ID FROM profile where profile.userID= ' + userID + ' AND profile.password = AES_ENCRYPT(' + givenpassword + ','" + USER_ENCRYPTION_KEY + "')

Hope this will help you.

Prasad.