Is storing a private key generated by the client that is encrypted by the users password safer than storing a hash of a password? (The encryption part is done client side and it will be sent to the server the users password won't be sent to the server)
Is saving a private key encrypted with the users password safer than storing a hash in a database?
136 Views Asked by TarithJ At
1
There are 1 best solutions below
Related Questions in CRYPTOGRAPHY
- Do I have to randomize key in OpenSSL
- An exception of type 'System.Security.Cryptography.CryptographicException': keyset does not exist
- crypto.BadPaddingException: data hash wrong (EKYC-Response)
- Decrypted string returns "Length of the data to decrypt is invalid"
- Generate signature using private key with OpenSSL API
- Recovering an ECPublicKey from Java to JavaCard
- Proxy tool for CoAP integrated with DTLS
- Using CmsEnvelopedData with CmsSignedData to verify signed data
- Unchecked returned value causing unexpected states and conditions
- SQL-Server Verify SHA2_512 hash procedure
- SagePay Protocol 3.00 Encryption Error with ASP.NET
- Encrypting with PHP; decrypting with CryptoJS
- How can I write a function to recreate the original text obscured here by css magic?
- What encoding does [BouncyCastle] PKCS10CertificationRequest.getEncoded() return?
- Is integer comparison in Python constant time?
Related Questions in PASSWORDS
- Do I have to randomize key in OpenSSL
- Xcode salting and hashing a password
- migrate one ldap server to another - questions
- Create a .txt with Password
- Hiding param of struts.xml values in Struts 2
- Detecting when CAPS LOCK is ON
- Save user and password Android
- Use MATLAB's webread to login to website and extract text
- authentication ruby valid_password error
- Linux acquire root permissions through a password popup
- I forgot the password to open a Word document. How can I retrieve the password?
- Django Rest Framework - serializer code not executing
- Transmit commands via ssh with password using expect
- Most used password in different language
- How does Maven 3 password encryption work?
Related Questions in PASSWORD-HASH
- Trouble validating md5 hashed password with randomly generated salt?
- How are Joomla 3 passwords encrypted?
- Django Rest Framework - serializer code not executing
- How to verify an hashed password
- Client side password hash versus plain text
- Reset password don't work when login php
- php password_hash and password_verify looked all over still doesn't work
- Check drupal 7 password to C#
- Rfc2898DeriveBytes how to verify the password which is store in database as hash value
- Client or Server side password hashing when a user registers (using HTTP)
- php password_verify doesn't work
- Password does not match with hash algorithm (SQL Server)
- ASP.NET: SHA1 + Salt Password Hashing on Multiple Servers
- Salted Password Validation in PHP
- Hash passwords with bcrypt in the database or in php code?
Related Questions in PASSWORD-STORAGE
- Storing password in an AES container
- Is there a standard to store username and password in WP7 applications?
- Should you use AccountManager for storing Usernames and Passwords for an Android app?
- Do banks store passwords as plain text?
- Is saving a private key encrypted with the users password safer than storing a hash in a database?
- How to protect users' credentials stored unencrypted in ~/.docker/config.json by 'docker login'?
- Using Multiple Hashes in PHP
- SmartLock saves Facebook credentials without asking
- How should I store a single use username and password for an Angular app without a login page?
- How does hybris store password hashes
- Any way to store a password securely in an application
- How to prevent user from imitating other users by updating passwords for other users?
- Is this a secure method of hasing a password in Java
- Is it safer to have the salt in the source code?
- Creating and storing Password in Android
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
It depends what you're talking about.
If i'm the client:
58 3b ae a9 de 37 88 e6 ed a2 9f 45 db 8b 9f 56 ef e1 aa 25 ac 52 f6 3d 02 dd 1b 86 1f c5 39 443e 35 33 46 fe a2 04 09 58 ff 1a 29 41 97 cb 6d 44 32 5f 4a 74 01 90 1d f3 32 eb 2c 6e 49 e1 19What you've done is have the client create a strong password with extra steps. I can convert those bytes to a string:
This is now the user's "password". When they login to your site, you need to validate that password. That means that you must securely store that password in your system - and taking the SHA-256 hash of that password is not secure.
That's all if the client encrypts it
What if instead the user generates a "private key":
And they send that to the server, and you will encrypt it with the user's password: how did you know the user's password!?
You can't do that, because you can't know their password.