Confirm
491
edits
Changes
→Password Storage
===Password Storage===
* Passwords stored in a database should using the following format that leverages secure hashing and a per user salt.
* Every new password stored in a form like {algo}-${salt}-${hash} * {algo} is {SHA-512sha512},
* {salt} is a salt unique per-user,
* {hash} is algo(salt + password)
Migrate all password hashes entries in the database as follows. This is a one time, offline migration.
Stored in databases in form: {algo}-${salt}-${migration_hash} * {algo} is {SHA512sha512+MD5},
* {salt} is a salt unique per-user,
* {migration_hash} is SHA512(salt + existingPasswordHash)
'''New Login Process'''<br>
1. Attempt to login user with migration hash. This involves performing the old password hash procedure then adding the salt and finally performing the SHA512sha512.
Example: Old password hash process is md5
Migration Hash = SHA512sha512(perUserSalt + md5(user supplied password))
2. If authentication via migration hash is successful:
- Use the user's provided password and calculate the New Hash per the algorithm defined above.
