For a fun project I want to support the SASL Mechanisms for authentication, especially PLAIN and DIGEST-MD5.
My question is: how can I store the users’ password securely if I need to support those two ways of authentication?
With only PLAIN auth it would be really easy, I just store the password with bcrypt and compare the user submitted password with the stored pw using the bcrypt_compare function.
But how can I store the password securely when also DIGEST-MD5 should be possible?
Should I store the whole calculated response and use that also for the PLAIN comparison?
Or is there some other way?
//Edit: Regarding the “fun”-project. At the moment it is a fun project but no one knows if it will be a non-fun project at some point. And I don’t want to decrease the security just because it’s a fun project..
The DIGEST-MD5 specification tells you what a server needs to store for that authentication method:
…so all you need to store for DIGEST-MD5 is
H({ username-value, ":", realm-value, ":", passwd }).You could separately store a bcrypt hash to use for
PLAINauthentication, or you could just use the DIGEST-MD5 value. If you stored separate values then you could allow your users to selectively turn off DIGEST-MD5 authentication, which would allow you to remove that (easily-bruteforced) information from the database for those users.