So I've done a bunch of research on how to better secure my site through the use of a hashed password along with it being salted (random). I've created a salted-hash and added it to my user password database. I can create cookie, have the program read that cookie with the salted hash, compare to the database and give the appropriate access.

But my question is, how do I give access if I don't already have the salt key?

Normally, I'd have the user enter the password, hash it and do a basic "if hashedpassword = databasepassword" return true, else false. This way the hash is never returned.

With a salted hash, the first x characters stored is the salt. It seems like I'd have to call the database have it return the salt, then regenerate the password to do a compare. This way I have to return a password hash/salt from the DB. Is there a better way to do this?

I hope that makes sense.

Thanks.

nightdesigns wrote:

With a salted hash, the first x characters stored is the salt. It seems like I'd have to call the database have it return the salt, then regenerate the password to do a compare. This way I have to return a password hash/salt from the DB. Is there a better way to do this?

Retrieve the salt and hashed password from the database. Hash the salt with the password provided by the user. Compare the result with the hashed password retrieved from the database. Basically, yes, you have to get the hashed password from the database unless you want to run two database statements (but there is no harm getting the hashed password since it is never revealed to the user anyway, so it is pointless to run two database statements).

Note that the security provided by this scheme is to protect your users in the event that the database is compromised. It does not protect your users from the interception of their passwords as they login. You would need to use SSL/TLS for that.

Excellent, thanks for that info.

Related note, am I okay to use the hash in a cookie when the user is logged in, or is there a better way?