stackoom
  简体   繁体   中英

how to authenticate users without saving passwords in database

 原文  2015-02-21 12:35:39       security/ authentication/ passwords/ onlinebanking

Question

I am developing a banking demo application. In my region users log-in to their bank website and do some transaction based on two fields that they have(You can assume two passwords- we call them cvv2 and Second-Password). These two passwords are only using for internet or mobile transactions.

I am sure that they do not save these passwords in database; because if they save these passwords in database, then the database administrator can use them and do fake transaction without real user permission.

By the way the question is that how the bank and its web site authenticate users and check that the entered fields(that two passwords) are right when they do not save these passwords in the data base.

2 answers

solution1
 0 ACCPTED  2015-02-21 17:55:10

Most banking systems today, do not rely on simple passwords, they have a two-factor authentication inplace. This could be for example an independend device to generate a code using your credit-card, or a least a TAN list.

When they store a password (usually done in combination with other security measures), then you can be sure that they store a hash of the password. A hash is one-way, you cannot get back the original password from it. Good hash algorithms for storing passwords are BCrypt, PBKDF2 or SCrypt, because they offer a cost factor. If you are interested to read more about the topic, you can have a look at my tutorial abour securely storing passwords.

solution2
 0  2021-12-01 12:04:37

I am new to this but found a way to not store the password in the database and still authenticate the user.

You can create a payload of username and password, something like "username + password" and then hash it using bcrypt or any other algorithms.

Store this hash in the database with the username field. In this way, the password won't be stored anywhere.

Next time you want to authenticate you can take the username and password and generate the hash from it and match which is present in the database. Only the correct password will result in same hash.

Please correct me if I am wrong and there is an flaw in this.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question how to encrypt data in database and reuse it to authenticate users Oracle Apex 21.1: how to's require for create, store and retrieve (authenticate) users with hashed passwords How users are verified when passwords are NOT stored as plain text in the database? Encryption of users passwords in the TYPO3 database How to authenticate users to my site? How to secure database passwords in PHP? How to protect user names, passwords and number of users How to secure database passwords configure file in PHP? How to store thirdparty passwords without reading them Android APP that consumes a webservice how to authenticate users
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM