koobas.hobune.stream
Checking a hash with random salt
I'm trying to write a very basic login system using SHA512 + random salt. So I have this
user creates hash:
hash(password+randomSalt)+randomSalt;
So the salt is appended with the hash. Which is then sent to the server and stored.
Now my problem is comparing when someone tries login. The user doesn't know the salt, and I don't want to send the plain text password to the server so I'm a little stuck.
Any safe suggestions?
Should answer/close this. Firstly MD5 isn't really safe hence I'm using SHA-2.
After a bit of research and some helpful people on stackoverflow, I ended up just using username as the salt, rather than randomly generating it.
I don't trust my knowledge of security to really answer this one the way you'd like, I'll just note that cryptographic security is something best left to the experts. If you're just trying to make your own to learn how, fair enough, but if you actually care about doing it securely, talk to google and find/use an established package. Security is incredibly tricky stuff to do right, even the experts can screw it up big time, so it's best to go with established and battle-tested libraries.
So basically, my safe suggestion is don't write your own at all. Do what this guy did instead.
