0

What are the steps of hashing password during registration and login to an application using salt and key?

Are the following steps considered correct if applied to an application?:

1- During registration:


  1. user insert password
  2. hashing function generates unique salt
  3. hashing function adds the salt to the password
  4. hashing function generates a unique key
  5. hashing function hashes the salted password with this key
  6. the password and the salt are sent to the application database
  7. the key is sent to another database

2- During login:


  1. user insert password
  2. the application returns the password of the inserted username with the salt and the key
  3. hashing function adds the retrieved salt to the entered password
  4. hashing function hashes the salted password with the retrieved key
  5. the application compares the two hashed password for the user (the one registered in the application database and the one inserted)
  6. if both password are the same then the login happens
  • thank you but the steps are not as clear as in this post @ConorMancone – JuniorDeveloper Nov 08 '19 at 02:42
  • Hashing does not involve a key. I'm not sure where your confusion lies but I think taking the time to understand the "correct" answer will be helpful for you. Regardless, you are asking how to properly hash passwords, which that question answers. Therefore this is a duplicate, so why ask someone else to answer a question that is already answered? – Conor Mancone Nov 08 '19 at 02:46
  • I understood that hashing using key-derivation-function involves a key. And I need a confirmation for my understanding of the steps @ConorMancone – JuniorDeveloper Nov 08 '19 at 02:53

1 Answers1

0

Let me correct this. Notice the bold parts, and removed steps

1- During registration:


  1. user insert password
  2. hashing function generates unique salt
  3. hashing function adds the salt to the password
  4. hashing function generates a hash from password + salt
  5. the hash and the salt are sent to the application database

2- During login:


  1. user insert password
  2. the application retrieves the salt and password hash for the username
  3. hashing function adds the retrieved salt to the entered password
  4. hashing function hashes the salted password
  5. the application compares the two hashes for the user (the one registered in the application database and the one derived from the input)
  6. if both hashes are the same then the login happens

This way you only ever store a hash and a salt, which makes it impossible to find the password from what's stored in the database, as long as the choice of hashing algorithm is secure and the password is hard to guess.

ig-dev
  • 1,118
  • 6
  • 13
  • To you previous comment: Key derivation means creating a cryptographic key, from, for example, a password. Deriving a key is similar to calculating a hash. This key can then be used to encrypt other things, like files or communication. The derived key is not used to encrypt the password itself which was used to derive the key. @JuniorDeveloper – ig-dev Nov 08 '19 at 03:53
  • Clear answer. I appreciate it @ig-dev – JuniorDeveloper Nov 08 '19 at 03:56
  • This might be better. 1. User enters the password and send the system ( TLS required) 2. Generate a random salt using system random and check that it is not used before. Although very low, hash functions have collisions so check them if you are using a hash. 3. By using a proper password hashing algorithm - BCrypt, PBKDF2, or better Argon2 - generate the password hash from password and salt. 4. Optionally, you can use pepper, too. 5. Store the hash and salt in the database, if pepper is used store in the application server. – kelalaka Nov 08 '19 at 11:03
  • There is certainly no point in checking for the astronomically low chance of a hash collision with a different existing password, which, even if it happened (which it won't), would not affect the security of the salted hash. The case for checking of uniqueness of salts is similar. As long as your salts are cryptographically random, and long enough, they will fulfill their purpose, – ig-dev Nov 09 '19 at 00:57