Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>I'm adding this as another answer because instead of answering the question asked (as I did in the first response) this is a workaround / alternative suggestion.</p> <p>Simply put:</p> <p>Use hashes BUT, whenever a user changes their password, also use your public key as follows:</p> <ul> <li>Generate a random symmetric key and use it to encrypt the timestamp, user identifier, and new password. <ul> <li>The timestamp is to ensure you don't mess up later when trying to find the current / most up-to-date password.</li> <li>Username so that you know which account you're dealing with.</li> <li>Password because it is a requirement.</li> </ul></li> <li>Store the encrypted text.</li> <li>Encrypt the symmetric key using your public key.</li> <li>Store the public key encrypted symmetric key with the encrypted text.</li> <li>Destroy the in-memory plaintext symmetric key, leaving only the public key encrypted key.</li> </ul> <p>When you need to 'convert' the accounts using the current password, you use the private key and go through the password change records. For each one:</p> <ul> <li>Using the private key, decrypt the symmetric key.</li> <li>Using the symmetric key, decrypt the record.</li> <li>If you have a record for this user already, compare timestamps, and keep the password that is most recent (discarding the older).</li> <li>Lather, rinse, repeat.</li> </ul> <p>(Frankly I'm probably overdoing things by encrypting the timestamp and not leaving it plaintext, but I'm paranoid and I have a thing for timestamps. Don't get me started.)</p> <p>Since you only use the public key when changing passwords, speed isn't critical. Also, you don't have to keep the records / files / data where the plaintext password is encrypted on the server the user uses for authentication. This data can be archived or otherwise moved off regularly, as they aren't required for normal operations (that's what the hash is for).</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload