B
bronco
Guest
Sorry Gus, that's definitely not a good idea. The best way to store a hashed password, that is obvious. Key here is how do hash. Well, "standard" here is compose a hashing SALT which is based on a part which is the same for every user concatenated (or whatever means of combining) with a user specific part of the SALT which you can happily story alongside the user record. So: salt = f(generic_part, user_part). This also implies that hashing cannot be done on the client (because it's a nono to share your salts to the client). The resulting hash is stored in the user record. Back to the original question, I guess there's no alternative than to encrypt it on the client, decrypt on the server, hash on the server and compare that hash against the hash stored in the user record. Then you still have to exchange some sort of encryption key to make it possible to encrypt client side....
Continue reading...
Continue reading...