In a login system, passwords must be persisted (in a database, for example) after they have been hashish (for lack of better word) with a salt randomly generated for that user (as referred to by @bfavaretto). Thus, in the BD, each user must have at least 3 items saved: username
, hashed password
and the salt
.
As soon as the user’s password enters the server, you must follow these steps (in pseudocode):
login(username, password) {
//obter informacao do user
User user = bd.getUser(username);
//obter o salt deste user
string salt = user.salt;
//"hashar" a password introduzida pelo utilizador
//e verificar se corresponde a' password na BD
if(Hash(password, salt) == user.hashed_password) {
//login com sucesso
}
}
Remember that when a new user registers, it is necessary to generate the salt random:
registar_user(username, password) {
string salt = random(); //gerar salt
string hashed_password = Hash(password, salt); //"hashar" password com o salt gerado
db.Insert(username, hashed_password, salt);
}
Note: Attention, do not confuse hashing with encryption. MD5 and' a hash algorithm, not encryption. Moreover, has already been proven in 1995 and 2004 that the MD5 algorithm has serious faults and should not be used. Instead, it uses SHA256 or SHA512.
Encryption algorithms are used in other situations to prevent intercepted messages from being deciphered or altered, for example. There are symmetric (AES) or asymmetric (RSA) algorithms).
If I use encryption, my system will be very slow with many users logging in at the same time?
Hashing algorithms are very fast, especially when the input is small, as in the case of passwords. In addition, safety always comes before performance. Performance can be improved later by climbing vertically or horizontally.
Thanks for the acceptance, but don’t need to accept an answer so fast! This may reduce the chances of a better.
– bfavaretto
When I read your question, I understood that you would be building an extremely simple system, with only one user, one password, and no database. Is that right? If not, the other answers are much more appropriate than mine.
– bfavaretto