Comparing password with random salt

Question

I have a c# app and I'm trying to write a basic login form using php and mysql to store passwords.

I'm using SHA512 + random salt to store passwords so currently I'm doing this for the passwords.

hash(password+randomSalt)+randomSalt;

So the salt is appended to the hash then sent to the server and stored.

Now my problem is comparing when someone tries login. The user doesn't know the salt, and I don't want to send the plain text password to the server so I'm a little stuck.

Should I be encrypting the password and sending it to the server, having the server send the user the salt or is there a better way to implement this?

I just want to make sure anyone who makes an account password is moderately secure.

Thanks in advance

Answer 1

It's pretty much impossible. Like Derek said, the right thing is get an SSL cert and send plain text passwords over that.

Salting is to protect a stolen password database from revealing everyones password. But if the hash step is done on the client, the value in the database is the exact string that is sent over the network.

If you really cannot use SSL, http://en.wikipedia.org/wiki/Challenge-response_authentication#Cryptographic_techniques describes a way to avoid sending the password (or the hash, which is almost the same).

Answer 2

In general, you should store the hashed passwords and random salt values in the database.

When a user authenticates, his or her username and password are sent to the server (preferably, over an SSL secured connection). Form there, you use the username to retrieve the salt value and hashed password from the database to do your comparison with.

Bottom line, you should never store plain-text passwords or send them over an unsecured connection.

See Password hashing, salt and storage of hashed values for more info.