Home/ Questions/Q 8831365
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T08:17:37+00:00

I want to create a user management system for my site , what is

  • 0

I want to create a user management system for my site ,

what is better for security and performance .

Type 1 :

table_user : user_id , user_name , user_email , user_password . user_phone ...

or

Type 2 :

table_user : user_id , user_name , user_email ...
table_pass : user_id , user_password .
table_phone: user_id , user_phone .

which one is better ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Ideally:

    • Don’t store passwords at all (even encrypted). Store hashes derived from passwords.
    • Salt the passwords to prevent rainbow attacks.
    • Put hashes on a separate database server, behind its own firewall and its own well-defined API1. This API should do only three things:
      1. For given username, retrieve the corresponding password hash.
      2. For given username, set the new hash (to support resetting the password).
      3. Remove given username and its hash (to support user unregistration).
    • Do the same for salts: put them on their own server and behind their own firewall and API. This API should do only three things:
      1. For given username, retrieve the corresponding salt.
      2. For given username, set the new salt to a random value (to support resetting the password).
      3. Remove given username and its salt (to support user unregistration).
    • Both hash and salt servers should be cut-off from the world (and from each other) and only accessible from the server that runs your Web application (i.e. PHP or ASP.NET or whatever…).

    When user tries to log-on by entering username and password:

    • Make sure this is done through HTTPS so the entered data safely reaches your server.
    • Call the API that retrieves the password hash for the username.
    • Call the API that retrieves the salt for the username.
    • Salt and hash the password entered by the user and compare it to the retrieved hash.
    • If they match, user is granted the access.

    By their nature, hashes are irreversible – other than the user, nobody, not even you, knows the exact password. In case the user forgets the password, you can’t send the password to them, but you can allow them to reset the password assuming they pass some additional verification (i.e. have access to a particular e-mail address and/or answer a secret question).

    BTW, log-on is a relatively rare operation, so it’s unlikely to pose a performance bottleneck unless you completely disregard proper indexing.

    1 E.g. implement a Web Service, then open only the port needed for that Web Service and nothing else.

    • 0