For all you out there that are still wondering how exactly to store passwords in the database…
You don’t. Try doing this as a minimum:
SIGN UP:
- Create a user account record with a random salt in it
- Put a password input
- On the backend, handle the submission by getting the random salt stored in the user account record, appending it to the password, and then hashing the whole thing. MD5 or SHA1 or higher, both are too long to break I think. Oh, and try to be forgiving by not enforcing the case for the password, and just uppercase it … i don’t think users really appreciate having to remember the case!
LOG IN:
- Get the random salt from the user account record, append to the password, hash and check against the db.
- If it fails, please let the user know what exactly went wrong (wrong password or account doesn’t exist).
- optional - Set a timer to delay the next login attempt until 5 seconds have elapsed. But don’t put a low limit on the amount of attempts! 20 attempts should be allowed.
FORGOT PASSWORD:
- Enter your email, and the site should generate a new password for you, and put it in the email link. Why do you think the good sites never send you your old password? Because they don’t know what it is!!
- As soon as you log in, the site should prompt you for your own desired password.
Peace,
Greg