I have read about how to implement security into a website using hashing, and I am not creating something terribly sensitive like a bank or storing credit cards. I would, however, like to know the best practices. My site has a TLS cert with AES 256
Main issues:
1.) Sending the hashed password hashed again through the session seems to be the only way I can think of to keep the session fairly secure. In my opinion, I don’t really care if the user finds that value, but I would care if the user found some way to see the database and knew exactly what my encryption algo was.
2.) Should I just completely take out my algorithm prior to hashing the password, or should I use different hashing methods?
Is it okay to use sha512 prior or after bcrypt, since both of these are sound as far as collisions and brute force?
Personally I just SHA512 passwords for storage and comparison upon login, and for session tracking I store a key of
hash('sha512', $username.$salt.$password);, this key is stored in the session and compared against the user’s key in the database to authenticate their session.I’ve yet to come across any security issues with this, it shouldn’t be possible to forge a key unless you know the user’s username, password and their user salt (which obviously should not be stored in the database) so it should be secure as long as someone doesn’t get access to both your database and your code (in which case you’ve got bigger issues than protecting user passwords ;))