A Warning About Custom Authentication and Passwords

If you're designing your own authentication schemes, you probably don't need to store the user's password in your account database; rather, you could store just the hash of the password. When the user passes his username and password to you, you hash the password and compare it with the hash held in the database. If the two hashes are the same, the user is authentic.

The reason for doing this is simple: if your user account database is compromised, the attacker will not get the passwords. The best she'll get is the hashes, and it's much harder to determine a password knowing only its hash. An attacker cannot log on knowing only the hash.

To make life a little more difficult, you could also store a random salt with each user determined at account inception. Just invoke the CryptUtil.Random component, and call the GenRandom method. Store this random salt value in the database along with the account information, hash the password and the salt together, and store that in the database. Hence, two users with the same password will have different hashes because of the influence of the salt on the hash.

When a user logs on, you take the username and use that to query for the hash and salt in the database. Hash the user-provided password with the salt held in the database, and if the hashes match you can be confident that the password provided by the user is the correct one.

Here's some pseudocode to perform these steps:

 StrUser = Request.Form("User") StrPassword = Request.Form("Pwd") SELECT SaltedPassword, Salt FROM user WHERE UserName = strUser strSaltedPassword = HASH(StrPassword, Salt) if strHash == strSaltedPassword then // Allow access. else // Access denied. end if