Token based authentication and hash passwords

Question

In my asp.net web service user passwords has stored as hash values using

 BCrypt.Net.BCrypt.HashPassword (password, BCrypt.Net.BCrypt.GenerateSalt ());

And my web service need to implement token-based authentication as well. I am new to this and as I understand from reading in a authentication token also password comes as a hashed string. So I have no clue how to validate the authentication token as I does not know the original password from either side. Is it really need to hash the password in a authentication token? or can I append the password to authentication token as a base 64 encoded string? is it safe?

Answer 1

A token is usually a random number/string which is not related to any other information like a password.

You can implement an authentication service, which needs a password once and can return a token if the password was correct. Later the client can send the token instead of the password, to authenticate the user. The application can ask the service if this token is valid.

Advantages are:

• The application can delegate authentication to the service.
• No need to expose user name and password for following requests.
• Different applications can share the token, without knowing user name and password.
• The service can handle expiry dates.
• Tokens are much stronger than short user passwords and therefore can be handled simpler. Example: Hashes of the tokens can be fast and can be stored without salting so they can be searched for.