Currently, user passwords are simply hashed and then stored in the db I'm pretty sure. For security, they should be salted first, and the salt needs to be stored in the database.
Affected Functionality
When a user creates an account, a salting step needs to take place.
When a year tries to log in, the salt needs to be used to check against the existing salted and hashed password.
When a user resets their password, a new salt needs to be generated as well.
The User table will need a new row that contains just the salt. This is generally the same format and length as the hashed password.
Dalet
commented
1 year ago
Currently, user passwords are simply hashed and then stored in the db I'm pretty sure. For security, they should be salted first, and the salt needs to be stored in the database.
Affected Functionality
When a user creates an account, a salting step needs to take place.
When a year tries to log in, the salt needs to be used to check against the existing salted and hashed password.
When a user resets their password, a new salt needs to be generated as well.
The User table will need a new row that contains just the salt. This is generally the same format and length as the hashed password.