I have long asked a question about how to store passwords in my database. This is my first time creating a secure web login application, so I would like to set up some good practices.
First, I read hashing and salting. It seems like an idea ...
- Get Hash Algorithm
- Get password from user
- Add "salt" to the text password from the user
- hash all password (including salt)
- Store the salt in db so you can restore it later (for checking PSWD)
And that made me think ... If the hacker knows your salt (because it is stored somewhere in the database, maybe a column with a name this_is_not_the_salt_ur_looking_foror something equally ambiguous), they can generate a password dictionary and gain access,
Then I got an idea. What if you saved your salt inside in the hashed password field. So, follow steps 1-4 (randomly generating salt), then in step 5, insert the salt in the password, somewhere known by the class or password interpretation service:
xxxxxsaltvaluexxxxxxxxxxxxxxxx
where x is the value of the hashed string. Can anyone see any problems with this? Is it just completely unnecessary?
Answer:
There are no reasons why this cannot be done. According to Yahia, other password protection methods include double (or n) hashing. BCrypt, on the other hand, looks like a good method to stop brute force attacks almost completely, but I could not find a reliable library for C #
Thank!
TTD