In a login system, passwords must be persisted (in a database, for example) after they have been hashed (for lack of a better word) with a salt randomly generated for that user (as referred to by @bfavaretto). Thus, in BD, each user must have at least 3 stored items: username
, hashed password
and salt
.
As soon as the user's password enters the server, you should follow these steps (in pseudocode):
login(username, password) {
//obter informacao do user
User user = bd.getUser(username);
//obter o salt deste user
string salt = user.salt;
//"hashar" a password introduzida pelo utilizador
//e verificar se corresponde a' password na BD
if(Hash(password, salt) == user.hashed_password) {
//login com sucesso
}
}
Do not forget that when a new user registers, it is necessary to generate random salt :
registar_user(username, password) {
string salt = random(); //gerar salt
string hashed_password = Hash(password, salt); //"hashar" password com o salt gerado
db.Insert(username, hashed_password, salt);
}
Note : Warning, do not confuse hashing with encryption. MD5 is a hashing algorithm, not encryption. In addition, has been proven in 1995 and 2004 that the MD5 algorithm has serious flaws and should not be used . Instead, use SHA256 or SHA512.
Encryption algorithms are used in other situations to prevent intercepted messages from being decrypted or changed, for example. There are symmetric (AES) or asymmetric (RSA) algorithms.
If I use encryption, will my system be very slow with many users logging in at the same time?
Hashing algorithms are very fast, especially when the input is small, as in the case of passwords. In addition, safety always comes before performance. Performance can be improved later by climbing vertically or horizontally.