CODEWITHSUNDEEP
phpvalidationauthentication
James
James

Reputation: 545

How do I authenticate and validate a password?

I don't really know even what questions to ask here. My problem statement is simple: I need to store a password on the DB with a salt, validate an entered password against the stored password, and authenticate the password using a random challenge word whenever a user tries to log on. I am using php/javascript.

In trying to figure this out, the problem I am having is that if I pass up a challenge word in an html form, then hash the entered password with that word, I can authenticate the password on the server, but I can not separate the password from the challenge word so I can validate it against the salted password on the DB. If I send the password to the server in the clear or hash it without a challenge word, I can validate it but now I can not reliably authenticate it.

I think I need a 2 way algorithm of some sort so I can encrypt it with a key, and then authenticate the key while validating the password. How do I do it? or if it can't be done then what should I be doing?

Upvotes: 0

Views: 280

Answers (2)

Dennis
Dennis

Reputation: 14477

Encrypting a password with client-side scripting is generally a bad idea. The proper way to do this is to use SSL.

Also, never store password in cleartext. If you must use a method like the one you describe above, hash the password twice: once for storing it in the database, another time for the two-way authentication.

Upvotes: 2

David Schwartz
David Schwartz

Reputation: 182883

  1. To store a password, generate a random salt. Store HASH(password+salt) and salt. (Either the server or the client can do this computation.)

  2. To perform an authentication, the server looks up the salt and HASH(password+salt). It then generates a random challenge and sends the salt and the challenge to the client.

  3. On the client, prompt the user for the password. Compute:
    HASH( HASH(password+salt) + challenge). Send it to the server.

  4. On the server, you already have HASH(password+salt) and you have challenge. So you can also compute:
    HASH( HASH(password+salt) + challenge). Compare this to what the client sent you. If they match, the password is correct.

Note that this is vulnerable to a MITM attack, so it should be used over a connection that is itself protected from a MITM, such as an SSL connection.

Upvotes: 0

Related Questions