I want to have a way of authenticating an user (which introduces his password) without having that password stored in plain text or even a hash of it.
How should I do it?
Is it secure to have a control string that the user key can cipher and compare it with the ciphered string that I have stored?
Per NIST (National Institute of Standards and Technology):
Use a hash function, iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as PBKDF2, password_hash, Bcrypt and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force.
See: How to store your users’ passwords safely
Excerpted from the presentation "Toward Better Password Requirements" by Jim Fenton Information based on NIST SP 800-63-3 Draft document "Digital Authentication Guidelines"
Do:
Require an 8 character min, >64 max with no truncation or 6 random digits
Use a dictionary to disallow common passwords against a dictionary list of 10M compromised passwords
Allow all printing characters (Unicode optional) + spaces but MAY canonicalize spaces out
Best to accept Unicode, including emojis (1 “character”/code point)
Limit failed authentication attempts to 100 in 30-day period per account
Offer option to display the secret while typing rather than dots or asterisks
Storing passwords:
Hash with 32-bit random salt using key derivation function such as
PBKDF2 with SHA-1, SHA-2 family, SHA-3 family
with at least 10,000 iterations
Don't:
Require composition rules
Allow hints
Require routine password expiration
Save plain or hashed versions with or without seeding
See: Toward Better Password Requirements by Jim Fenton.
See Zaph's answer for what you need to do. I'll just add a little more background in case it's helpful.
As it turns out, storing the password in encrypted form is less secure than storing a properly done password hash. This is because an encryption cipher is designed to be unencrypted with the right key, and the encryption algorithm doesn't necessarily rely on being slow as one of it's defenses against a brute force attack.
But a properly done password hash algorithm is designed so that you can't get the password from the hash, AND the password hashing algorithm design DOES use speed of hashing (i.e. make it slow) as a partial defense against trying to find the password through brute force hashing of every possible password.
