|
|
|
|
|
|
by DrewHintz
6056 days ago
|
|
|
Rather than storing the actual passwords in the database, you'll want to only store a digest of each password. For example, storing a keyed HMAC using SHA-2 is great. An easy similar method is to store the SHA(password + some server secret value + user's email address)
In this case the user's email address serves as the salt. The server secret value prevents a database-only compromise from leading to locally brute-forced passwords.
When the user logs in, on the server, re-compute the digest and see if it matches the stored digest. I didn't notice any HTTPS -- you might want to use it for queries involving the password and any financial transactions. |
|
|