I have never written an auth user system before and for this project. I need to balance security with efficiency (which means that I cannot spend hundreds of man-hours working with protection, but I need to save passwords and login information).
I am using Node.js with express framework and passport for authentication and sessions.
The research that I have done so far shows three problems to solve. Until today, I had no idea that if any general solutions exist for these problems, and a few hours of accidentally diverting attention to the study do not give me confidence in the completeness of the answers that I found.
Problems:
Do not store unencrypted text passwords in the database (Possible answer: salt / hash password on the server and save the hash in the database.)
Do not send plaintext passwords through an insecure http connection (Possible answers: A - Use Https ONLY for the authentication process. After that, use http. B - Send random salt to the user on the login page, hash the client part of the password, then do not hash and re-encrypt for database storage.)
Do not use weak encryption methods that can handle GPUs at 700,000,000 passwords per second. (Possible answer: bcrypt)
, 3 . , , . ( : - https , ?)