How to work with user password?

N

Nwton2017-01-20 02:35:10

Information Security

Nwton, 2017-01-20 02:35:10

I'm trying to figure out the elementary authorization of the user. A number of questions arose about working with a password:
1) Since. https connection, mid man will not be able to intercept the pass and can it be safely sent in its pure form?
2) On the server, the pass is encrypted: 3 iterations of sha256 (password + unique user salt + 'additional salt string') and placed in the database.
-if someone gets access to reading the database, then they will not be able to pick up the pass, because in addition to the unique salt, there is additional. salt in the script itself
- if someone gets access to ed. bases, then the substitution of unique. salt and password hash will not help for the same reason.
Here it is not clear to me why a unique salt is still used, because an attacker still does not have access to an additional one?
3) What protective equipment is missing?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

X

xmoonlight, 2017-01-20
@xmoonlight

1. Everything that passes through the network is better to encrypt even if it goes inside SSL.
2. The pass is not encrypted, but hashed. (if someone gains access to the database, then 99% of them have already gained access to the script)
3. Understanding the logic of the functioning of the authentication system + knowledge.