Im searching which are more secure (and yet possible) method of password management inside a web application.

At this time, I save the password as hash. The DB account from the application is fixed to excecution of saved methods and that i authenticate customers by providing the username and also the hashed password to some saved method that returns 1(true) or (false).

So there's absolutely no way of having the password in the server, even when you will find the DB account from the application. Thats things i like relating to this solution. But to make use of this, the customer needs to submit his password over the internet, or at best a static hash that may be catched.

And So I found concept of utilizing a handshake such as this:

  • Client asks server for salt.
  • Random salt is offered to client and saved on server with this single client.
  • Client makes Hash(salt + password) and returns this hash to server
  • Server makes Hash(salt + password) and inspections if it is same then from client

By using this handshake causes it to be possible to determine the password without delivering itself or perhaps a static hash from it. Only a dynamic salted hash, that's different every time the consumer logs in => Highly secure.

However for this handshake i want the password or at best the hashed password in the DB. But this allows someone to access least the hashed password and bruteforce it outdoors the application.

An amount you want? Keeping password inside DB making anything there(secure server), or have it from DB and get it done outdoors(secure transmission)?

Thanks ahead of time, Marks

Your suggested solution doesn't really solve the issue. The server needs to be aware of password nonetheless, therefore it needed to be moved at some stage in plain, that was that which you desired to avoid to begin with. By doing this you simply steer clear of the password being sent again each time, but when someone caught it the very first time it had been moved?

I believe you shouldn't reinvent the wheel :-) Use SSL for those connections and your first solutions works fine. You may also carry out the hashing on client side, so just the hash is distributed within the secure funnel. Your server won't ever be aware of password, also it does not need to.