I do not agree with Brian, because at the moment the standard method for storing passwords in any database is the "salt" (see Wikipedia for a detailed explanation) password with a randomly generated value and save the hashed value and salt in your "database" ( see notes). Salt is not a secret, so you can store it in plain text. Whenever a user enters a password, you read the salt from your file, apply it to the entered password, and then apply the hash algorithm of your choice. Then you compare the results with the stored hash. If they match, the user is authenticated. For a good (and interesting :)) explanation of why βjustβ password hashing is not enough, see: HOW NOT TO STORE PASSWORDS! For educational implementation of the salting and hashing process in C # see C # Salting and Hashing Passwords
You can also find a good way to do this here: https://stackoverflow.com/a/166268/
For quick reference, the process in pseudo-code:
First password store:
//get user input username = GetUserName password = GetPassword //generate random salt salt = GetRandomValue //combine password and salt and apply hash hashedPassword = Hash(password + salt) //store hash value and salt in database AddToDatabase(username, hashedPassword, salt)
User Login:
//get user input username = GetUserName password = GetPassword //read salt from database salt = GetSaltFromDatabase(username) //combine password and salt and apply hash hashedPassword = Hash(password + salt) //compare hash to stored hash value correctHash = GetHashFromDatabase(username) if (hashedPassword == correctHash) then passwordIsCorrect = True else passwordIsCorrect = False end if
Note:
- This assumes that your usernames are unique, as they are used as an identification key in your "database".
- A βdatabaseβ does not have to be any βrealβ database, it can also be your configuration file or a text file.
Marcus mangelsdorf
source share