Blog | G5 Cyber Security

Secure Login: Passwordless Authentication

G5 Cyber Security

TL;DR

Instead of sending your password to the server, we’ll use a secure method where the server verifies you *have* the password without ever knowing it directly. This is done using hashing and salting.

How It Works

This guide explains how to implement a more secure login system. The core idea is that your password isn’t stored on the server in plain text, or even encrypted in a way the server can easily reverse. Instead, it’s transformed into a unique ‘hash’.

Step-by-Step Guide

  1. Hashing Passwords: When a user creates an account:
    • The password is taken from the user.
    • A random ‘salt’ is generated (a string of characters). This makes it harder to crack passwords even if the database is compromised.
    • The salt and password are combined, then passed through a hashing function (like bcrypt or Argon2). This creates the hash.
    • Store the hash and salt in your database – never store the original password!
  2. Verification During Login: When a user tries to log in:
    • The user enters their password.
    • Retrieve the salt associated with that username from the database.
    • Combine the entered password and the retrieved salt.
    • Hash this combination using the same hashing function used during registration.
    • Compare the newly generated hash to the stored hash in the database. If they match, the login is successful!

Example Code (PHP with bcrypt)

This shows a simplified example using PHP and the bcrypt extension. Important: This is for demonstration only; production code requires more robust error handling and security measures.

Registration

Login

Important Considerations

Exit mobile version