If a user wants to login to a system/server, it\'s recommended to have the hashe

Question

If a user wants to login to a system/server, it's recommended to have the hashed&salted password saved in a database, along with its salt.

So the user wants to login, types in the password, clicks on login and with his input and the salt the system checks if the correct hash is created.

I understand this part.

But when I don't want to type the password every time, how would I save the password on client-side? I can't save it hashed, because I need to salt the clear password for the checkup. If I save it clear, the client is vulnerable. And if I use any encryption where do I store the "master-password".

Also in my case I don't really want the user to force into creating a master-password. Though it's a required feature not to type in the password every time.

Explanation / Answer

Well, that's what password managers (provided by OSes or embedded in browsers) are for. And yes, you'll need a master password because you need some secret shared with the password manager for it to encrypt those previous passwords of yours. :)

Most websites would provide you with the ability to stay connected via cookies to spare you the pain of re-authenticating. This avoids exposing your credentials, though the cookies being stolen could lead to identity forgery.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.