Assuming I currently use a safe way to salt-challenge-response-authentication-me

Question

Assuming I currently use a safe way to salt-challenge-response-authentication-method, passwords are stored secured and all.

I now question myself - how do users set the password? Meaning, they enter password as plain text in the textbox, and what happens next? should their client hash the password and send it to the server to be salted? isn't that prone to MITM+rainbow-table ? I was thinking about querying the server for the salt, and then the client hashes and salts the password and that's what will be stored in the DB along aside the salt.

What do you think?

Also, Is it oketter to store the first part of the hash which is the combination of the username and password with salt? meaning that when they change username they'll need to reset their passwords aswell.

Thanks!

Explanation / Answer

Sounds a bit like you're trying to reinvent the wheel :) You're not saying if this is a web app or desktop app. In any case there are de facto ways to do these.

For credentials transport, use TLS. As the name suggests, Transport Layer Security. Use that to transfer credentials from an end-user to the server. Depending of your needs, you could get away with self-signed certificates but if you're worried about MITM then get proper certs. Do this and you don't need to implement any additional client-side encryption scheme.

To generate a safe password hash, you could use a key stretching function like PBKDF2 to add thousands of iterations and make computing a password time consuming for the attacker.

In case your db is compromised and attacker dumps all passwords, you can fight against rainbow tables by salting your passwords. Salt doesn't have to secret but it should be unique to each account to minimize the effectiveness of rainbow tables.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.