I am new to web development and database and am trying to implement password authentication with reasonable security and speed. I have read about hashing the password and append a salt unique to each user in order to deter people from generating rainbow tables.
My question deals with the time I have to search in order to verify a user. Since I don’t know who is trying to connect at any given time, it seems to me that I would need to retrieve every field from the salt column then hash the submitted password + each unique salt and then finally compare each output to the hashed strings in the table?
So I have to submit a separate query for each combination of hash(password+salt)? That seems like it would be awfully slow. Am I missing a trick that would speed up the process? Or is it simply a matter of sucking it up and sacrificing speed for better security? Or am I mistaken and with the speed of today’s computers it isn’t an issue at all?
You cannot authenticate the user based only on a password. Password is a verification that the user is who they say they are, so you need some sort of user identifier — name or whatever. Table then looks like
users(..., name, password, ...), you doSELECT password WHERE name = "foo"and proceed with verification from there. Convenient form is to keep all parameters needed to generate derived key inside the password field, e.g. like this:For hashing itself, you don’t want it to be fast — see key derivation functions like PBKDF2, bcrypt or scrypt. In general, tuning the parameters so that it takes about a second to derive one key is a nice way to make brute forcing infeasible.