Storing blank password in USER table if authenticating using facebook

Question

I am designing an application that would accept new users through signup form, or login using facebook.

When user signs up, I'd create a user record and store the encrypted password (hash) in the USER table. If the user signs up through FB, I still want to create the user record.

But how should I handle the password column since I will not be exposed to their FB password. Or should I separate userid/login/password from the USER table and keep it in a separate table and FB users will not have a record in this new table.

Answer 1

Either of those will work fine- you probably just want to keep a record in your User table of what authentication provider this user prefers and use that as a guide to how you log them in.

There are advantages to storing log-in details separately from user accounts, but they are going to be fairly closely associated anyway and there's no harm in storing the log-in with the user account details in many cases. Keeping separate log-in records would make it easier to record when a user signed-in and with which credentials, catch when they try to change their password to something they have used in the past and so on, but whether you want that level of auditing for your application is entirely down to you.

There is no risk in having a blank password in the user table in itself, as long as you can ensure there is no route by which someone could try and force the system to log a Facebook-authenticated user in using your standard log-in process. Having an indication of what log-in type a user favours and ensuring that any log-in attempt against a blank password automatically fails should be sufficient to avoid this as a problem.