Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m storing the user’s credentials in a database with the encoded password: sha1(pw + salt) and the salt.
When I’m trying to login the user from a client app I do the same thing only with a different salt value, so I send the sha1(pw + another_salt) and another_salt for authorization.
The question is that what further modification should be done to the received encoded password to be able to check against the stored value.
If you send something from client it doesn’t matter if it’s hashed password or just string. And if it’s content generated by client (i.e. you generate salt on client, not on server) – attacker could as well just send your string. So if it’s not secured connection, then you add additional work which doesn’t help.
To allow checking passwords on server with another salt, you need to store original password in clear text.
That’s the whole point of storing hashes instead of passwords in database is to not allow guessing them from hash only. And if you salt them additionally, then you need to use the same salt (it’s public, as it’s stored in database in clear text, but it’s now part of original password). What you ask is something like this:
If you really need this app to work, just send user’s password in cleartext from client app, but over secured connection.