How are passwords stored?
Root / Site Discussion / [.]
NeatNitCreated:
It's pretty important to store passwords correctly. In fact, the best pactice is not to store passwords at all and instead, use a "log in with Google"/Facebook/whatever button, essentially removing all password theft security risks and relying on the other service's security - which is probably great because they're huge companies.
But clearly, SmileBASIC Source uses its own user accounts and its own passwords, so you have to store them somewhere! Now, as far as I know, the current best practice is to take the password, add some salt (basically a long string that is specific to each user), and use a hashing algorithm on that - then store that.
Is this what you're doing? (if not, better do it ASAP)
There are ways to tell if someone knows their password without transmitting it, or an encrypted version.
https://en.wikipedia.org/wiki/Zero-knowledge_proof
Okay, people, Random has explained this stuff before to me in chat, so might as well tell.
When you log in, the webpage sends the username and a MD5 hash of your password. The account name is first checked on the MySQL server (which is not port forwarded, so no one can hack it). If it doesn't exist, the server says that the username or password. If it does, then the server hashes the MD5 hash with Bcrypt, and compares that hash with the one stored on the database. If the hashes match, a session key is sent (as a cookie) to you, and you're now logged in until you close your web browser tab (unless you click Remember me). Else, you're sent a message that the username or password is incorrect.
Now, Bcrypt is one of the best hashing functions, and the MySQL server isn't outside the firewall, so you're not gonna get hacked. So don't worry about security (especially since CloudFlare automatically sets up SSL).