Open TaillandyV opened 2 years ago
TaillandyV
commented
2 years ago Hi,
This is a version that I have just modified for my own use, so it is not up for deployment but I though the idea could lead to a better version of shinyauthr if the user could choose.
Thanks for shinyauthr !
PaulC91
commented
2 years ago Hi, there is already password hashing options provided via the sodium package. This is designed to protect against brute force attacks whereas algorithms such as sha-256 are not. See https://github.com/PaulC91/shinyauthr#hashing-passwords-with-sodium and #13 for details.
Added hashing directly to enhance the security, hashed keys are stored in "password" and the salt is added. This will proceed as such:
The salt given to this user + password entered by the user are hashed using sha-256 then compared to the hashed stored in the database for this user. If it is the same, connect the user if not don't connect the user.
This change allows for enhanced security; the passwords are not stored (Let it be on the app, on a database when shiny is launched remotely or if the source code is found.) , only the hashed result and the salt can be found.
Check for more information on salting : https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/