I recently did a security review of my site, following the latest news articles around hacked high profile sites, for example. LinkedIn
So my question is:
How can I store a user's password completely separate from their username and other information? Thus, the hacker could only get the password, and not the corresponding username.
Edit: I forgot to say that I already store passwords as a hash (and thrust it in).
Regardless of how you do this, there still should be a way for the authentication mechanism to link the username / password together, so what you are trying to do is useless.
, , Hash, , .
http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-database
, - , Google. ( , , , Bcrpyt), . , . , , .
, , . . , , , - .
. ( : ) . , , , , .
- .
, Google, OpenID.http://openid.net/, , , , .:http://www.codinghorror.com/blog/2010/11/your-internet-drivers-license.html
: , google , , . , Google. . Googlehttp://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html, ... .
, .
, mysql () - : PASSWORD()
PASSWORD()
, :
update user_table set password = PASSWORD(?) where user_id = ?
:
select * from user where user_id = ? and password = PASSWORD(?); // returns the row if password correct
MySQL mysql .
, , LinkedIn , SHA1 encyption. , "" . , . :
, , . , ,
" ( , ), - , - , .
if anyone knows why linkedIn won't merge their hashes, I'd love to hear from you. From everything I read, SHA1 can be easily decrypted over time.