0

Technically speaking is there any difference to these two login flows

The first:

  1. Find user by email/username/etc.
  2. Use a library like bcrypt to compare plain text password to hashed one
  3. Return user if comparison true / return invalid credentials if comparison false

The second:

  1. Hash the plain text password sent by user
  2. Search for user by both the email and hashed password
  3. If user found return him to the client / if user not found return invalid credentials
Luka Mikavica
  • 118
  • 2
  • 7
  • Yes there is a huge difference, the second flow simply won't work. The reason is the salt which is generated randomly for each password, without knowing this salt you cannot reproduce the hash, and without knowing the hash you cannot find the salt. Tried to explain it in this [answer](https://stackoverflow.com/a/38422760/575765). – martinstoeckli May 25 '22 at 11:03
  • Ah yeah i forgot about the salt thanks, i saw [this](https://github.com/VaughnVernon/IDDD_Samples_NET/blob/master/iddd_identityaccess/Domain.Model/Identity/AuthenticationService.cs) example but didn't notice he's not using a salt – Luka Mikavica May 25 '22 at 11:12

0 Answers0