Security Strategy
Store the password in plain text form.
Compare the user input passwrd with stored passowrd.
- Very simple implmentaion.
- Passowrd retrival is possible.
- Very bad strategy - if Db is hacked or opeartion engineer can see password.
Hash the user password and store in DB - preferably SHA256 hashing.
- Better than the plain text one.
- If 2 passwords are same, the hash code will be same. So, easy to guess the common password strings.
- Passowrd retrival is not possoble. Only password reset can be done.
Hash the user password by adding random salt and store in DB along with random salt - preferably SHA256 hashing.
Hash the user input password by adding stored salt and compare with stored hashed password.
- Hashed password will be diffrent even the two passwords are same. So, hard to break.
- Additional salt storage is needed.
- Passowrd retrival is not possoble. Only password reset can be done.
Hash the user password using BCrypt and store in DB. BCrypt adds the salt and then hashes the password. The salt is added to the hashed password. No additional salt storage needed.
Use BCrypt to compare the userinput and hased stired password.
- Hashed password will be diffrent even the two passwords are same. So, hard to break.
- No need to store salt in additional column.
- Password retrival is not possoble. Only password reset can be done.
Use AES (Symetric Encryption Mechnisam) to encrypt the userid, use password as encryption key. Store the encrypted userid, no need to store the password.
Use AES to decrypt the userid, use password as decryption key and compare.
- No need to store the password.