0

I am new to this kind of stuff, but I would like to try to write my own simple auth system and I dont know what kind of steps i need to take in order to make this system. After doing some research I found that I need salt and hash my passwords plus I need to create security tokens, so my question is what else do I need?

Aidanas Naugžemis
  • 89
  • 5

1 Answers1

0

it depends on which authentication you wish to do: user authentication (using username, password) or API authentication (using secret key)

if you wish to do user authentication you first of all want to check SSO (single sign on) method, its the most common today you can use google api or facebook api.

if you with to manage your own log-in you need to store the users data with hashed password . first of all you need to hold secret key in your configuration, with that key you generate hashed password from the user when he sign up and store it in your DB. once the user try to log in you hash the password he inserted and check if there is a match with your record in the DB

Shalom Balulu
  • 379
  • 1
  • 9
  • 20
  • 2
    Are you saying that you would only pepper your password hash, but not salt it? Wouldn't that mean everybody with the password "test" would have the same hash in the database? – ProgrammingLlama Apr 04 '20 at 09:03
  • and if you salt it, how would you compare value when user try to log-in ? – Shalom Balulu Apr 05 '20 at 10:08
  • Are you kidding me? You store it alongside the hash. See here https://stackoverflow.com/questions/16891729/best-practices-salting-peppering-passwords – ProgrammingLlama Apr 05 '20 at 11:41
  • Also read this article about the Adobe hack. Having every instance of a given password be the same in the database makes it easy for hackers to identify which users have the same password. https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/ – ProgrammingLlama Apr 05 '20 at 11:43
  • can you answer my question ? – Shalom Balulu Apr 07 '20 at 12:22
  • Yeah, you store the salt alongside the password. The salt is meant to stop attacks using known hashes for a given algorithm, and to stop hackers easily identifying everyone who had the same password. This isn't some idea I'm coming up with, even the password hasher built into the .NET Framework uses this approach, it just combines it into one result. – ProgrammingLlama Apr 07 '20 at 14:02