I have a c# app and I’m trying to write a basic login form using php and mysql to store passwords.
I’m using SHA512 + random salt to store passwords so currently I’m doing this for the passwords.
hash(password+randomSalt)+randomSalt;
So the salt is appended to the hash then sent to the server and stored.
Now my problem is comparing when someone tries login. The user doesn’t know the salt, and I don’t want to send the plain text password to the server so I’m a little stuck.
Should I be encrypting the password and sending it to the server, having the server send the user the salt or is there a better way to implement this?
I just want to make sure anyone who makes an account password is moderately secure.
Thanks in advance
In general, you should store the hashed passwords and random salt values in the database.
When a user authenticates, his or her username and password are sent to the server (preferably, over an SSL secured connection). Form there, you use the username to retrieve the salt value and hashed password from the database to do your comparison with.
Bottom line, you should never store plain-text passwords or send them over an unsecured connection.
See Password hashing, salt and storage of hashed values for more info.