how password is stored and check the authentication??

[jrefactors]

I want to ask how password is stored and how to check the
authentication?

I have heard password is never encrypted and decrypted, but it is
hashed.

For example, consider a simple email logon authentication in a hash
table:
Key: my email address
Value: hash_function(my plan text password)

The hash_function will hash my password to some number.

When I logon, it will have another function to do the reverse.

If (reverse_hash_function(the password I enter on the logon screen)
== get_value(my email address))
Then Correct Password
Else Wrong Password

I don't know if this is correct. Please comment, and advise.

thanks!!

 

[makc.the.great]

If (reverse_hash_function(the password I enter on the logon screen)
== get_value(my email address))

ain't no such thing as reverse_hash_function.

you do straight_hash_function on password user typed and match result
against hash of original password.

 

[mlimber]

I want to ask how password is stored and how to check the
authentication?

I have heard password is never encrypted and decrypted, but it is
hashed.

For example, consider a simple email logon authentication in a hash
table:
Key: my email address
Value: hash_function(my plan text password)

The hash_function will hash my password to some number.

When I logon, it will have another function to do the reverse.

If (reverse_hash_function(the password I enter on the logon screen)
== get_value(my email address))
Then Correct Password
Else Wrong Password

I don't know if this is correct. Please comment, and advise.

thanks!!

This post is off-topic in this newsgroup, which deals with C++ language
issues, not specific applications or platform dependencies. Try a forum
about security or encryption.

Cheers! --M

 

[mlimber]

This post is off-topic in this newsgroup, which deals with C++ language
issues, not specific applications or platform dependencies. Try a forum
about security or encryption.

Oops! Sorry for the cross-posting. I didn't notice it went to multiple
forums. --M

 

[Sebastian Gottschalk]

Oops! Sorry for the cross-posting. I didn't notice it went to multiple
forums. --M

1. This is no forum, this is usenet.
2. Your question is a FAQ.

 

[Gordon Burditt]

I want to ask how password is stored and how to check the

authentication?

Which password? One of mine is stored in an Oracle database in plaintext.

I have heard password is never encrypted and decrypted, but it is
hashed.

Some passwords are stored as a one-way hash of the plaintext password.
Some are stored as clear text. How it is stored may have an effect
on the authentication method you use. For example, storing the
password as a hash may make it impossible to use some challenge-response
protocols which need the plaintext password STORED, but never
TRANSMITTED, while the UNIX-style crypt STORES a hashed password
but requires TRANSMISSION of the plaintext password.

Which is more secure depends on the nature of the setup and the
security threat.

For example, consider a simple email logon authentication in a hash
table:
Key: my email address
Value: hash_function(my plan text password)

The hash_function will hash my password to some number.

When I logon, it will have another function to do the reverse.

Hash functions are generally NOT reversible - and that's the point
of using them. You send the plain text password and the server
computes the hash and compares it against what's in the database.
If it matches, you're in.

Gordon L. Burditt

 

[Unruh]

I want to ask how password is stored and how to check the
authentication?

I have heard password is never encrypted and decrypted, but it is
hashed.

For example, consider a simple email logon authentication in a hash
table:
Key: my email address

What key? hashes do not use keys.

Value: hash_function(my plan text password)

Value is then stored.

Correct, (of course you do not say what operating system, what program etc,
but this is at least the way it should be done)

The hash_function will hash my password to some number.

When I logon, it will have another function to do the reverse.

No. A hash has no inverse. When you logon the system hashes your entry
password and compares the two hashes.

If (reverse_hash_function(the password I enter on the logon screen)
== get_value(my email address))

No
if (stored_hash = hash_function(entered_password)) then ....

 

[Unruh]

This post is off-topic in this newsgroup, which deals with C++ language
issues, not specific applications or platform dependencies. Try a forum
about security or encryption.

He did. sci.crypt. Cross posting.

 

[FX]

Well, it goes like this. U sign up for email, ur password is taken,
operated b one way hash! the hash used may be MD5 (good one). The
hashed result is stored into database.
Whenever u access ur mail with that passoword, it is operated by the
same hash (md5) to get the same result. If ur password is different,
the resulted hash would not match, hence access would b denied.
Hence password is quiet secured and cannot be retrieved, it can however
be reset by some special defined means...

 

[Anne & Lynn Wheeler]

Well, it goes like this. U sign up for email, ur password is taken,
operated b one way hash! the hash used may be MD5 (good one). The
hashed result is stored into database.
Whenever u access ur mail with that passoword, it is operated by the
same hash (md5) to get the same result. If ur password is different,
the resulted hash would not match, hence access would b denied.
Hence password is quiet secured and cannot be retrieved, it can however
be reset by some special defined means...

majority of ISPs have an intermediary process involving radius
.... that provides authentication, authorization, and accounting
management and administration.

small confession ... for a small startup isp in previous lifetime, i
was actually involved in configuring radius for real livingston box

since then it has become an ietf standard

from
http://www.garlic.com/~lynn/rfcietff.htm

in the "RFCs listed by" section, click on "Term (term->RFC#)"

and scroll down to

remote authentication dial in user service (RADIUS )
see also authentication , network access server , network services
4014 3580 3579 3576 3575 3162 2882 2869 2868 2867 2866 2865 2809
2621 2620 2619 2618 2548 2139 2138 2059 2058

clicking on the rfc number brings up the rfc summary in the
lower frame (if you are using frames).

clicking on the ".txt=nnn" field in a rfc summeary, retrieves the
actual RFC.

it tends to support a number of various authentication methods, for
instance if you configure PPP on your personal machine for use with
ISP ... you may be presened 3-4 different options ... which includes
clear-text transfer of a password ... but also stuff like CHAP
(challenge response).

there have even been some number of radius versions done where a
public key is registered in lieu of a password and the client performs
a digital signature operation ... with the server performing digital
signature validation using the on-file public key.

besides ISPs using radius for login, email authentication, newsgroup
authentication, etc. ... there are also major applications (like some
of the database systems and web servers) providing radius interfaces
for performing authentication operations.

 

[Alan Balmer]

Oops! Sorry for the cross-posting. I didn't notice it went to multiple
forums. --M

No apology needed. It's still off-topic in two of the three groups
it's posted to.

 

[Christian Bau]

What key? hashes do not use keys.

Of course they do. Google for OMAC, which defines a hash function based
on a block cipher (typically AES-128) and a key.