securitypasswordspassword-protection
How to authenticate client at server using a hashed password with salt?
I try to implement a authentification algorithm. My basic sequence for now is the following:
Right now i doubt that this is the correct way to do it. With the salt i want to prevent rainbow tables but requesting the salt from the server would let a man in the middle attack get the salt and after it cracking the password with a rainbow table using the salt is easy.
Is the only way solving this a https connection or is it somehow possible to get it more save?
Solution
- Never store passwords, just its hash.
- Salt shall never leave server, generate salt and keep it as part of generated hash.
- Use seed for added protection. Seed can be number of seconds from some predefined date till the date user created his login with the application.
C# code sample:
// extends byte[] to create SHA256 hash code with seed and salt of supplied size
public static byte[] GetSHA256HashCode(this byte[] value, byte[] seed, int prefix = 0)
{
var salt = new byte[prefix];
RNG.GetBytes(salt);
return salt.Concat(seed.Concat(salt).Concat(value).ToArray().GetSHA256HashCode()).ToArray();
}
// extends byte[] to compare SHA256 hash code with seed and salt of supplied size to supplied hash code
public static bool IsEqualToSHA256HashCode(this byte[] value, byte[] code, byte[] seed, int prefix = 0)
{
return seed.Concat(code.Take(prefix)).Concat(value).ToArray().GetSHA256HashCode().SequenceEqual(code.Skip(prefix));
}
- How/why is login page redirect required?
- How can i use a reverse shell over global Internet?
- Should I Manually Patch the Pandas DataFrame.query() Vulnerability or Wait for an Official Update?
- C# - Securely storing a password locally
- how to secure keys for API calls from android device to amazon services
- Should I add application.properties to .gitignore if the Git repository is private and both the server and DB are on an internal network?
- Understanding the port numbers of a network connection strings in systemd output of an ubuntu device
- Disable firefox same origin policy
- SecurityError: Blocked a frame with origin from accessing a cross-origin frame
- Securely decoding a Base64 character array in Java
- Is There a Security Risk Using ADB Over TCP/IP for Wireless App Development in Expo?
- Is it a good idea to distribute docker image containing my selfsigned certificate?
- Is it possible to externalize nested components
- How can I make a file trully immutable (non-deletable and read-only)?
- Buzz words in architecture document
- Docker and securing passwords
- Security implications of adding all domains to CORS (Access-Control-Allow-Origin: *)
- Is it possible to browse a spreadsheet when an importrange has been authorized?
- Wordpress ==> SSL ==> MySQL is this configuration possible?
- How to Create Secure(TLS/SSL) Websocket Server
- Attackers might be trying to steal your information from (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
- openapi generator unauthorized 401 via $ref url in yaml
- Deploying a Mercurial Repository to Production - Security Concerns and Tips
- How to find tables using row access policies in Snowflake
- Issue with CORS origin linked to API key
- How to track hacking attempts on a website
- Encrypting AES key with RSA public key
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- How to make copilot not leak secret credentials (neovim)?
- Clear GPG Cache/Password after Encryption in Linux Terminal