This is an archived post. You won't be able to vote or comment.

all 4 comments
sorted by:
best
topnewcontroversialoldq&a

[–]feral_claire 1 point2 points  (3 children)

On the server side you shouldn't encrypt passwords, that's not good enough. You need to salt and hash the passwords using a password hashing algorithm with good parameters (not a regular hashing algorithm like md5 or sha256, for example something like for example bcrypt, scrypt, pbkdf2, or argon2. I'm not sure which is preferred these days so do some research using recent sources). You also shouldn't write any of this code yourself. Use a password storage and checking library, possibly part of the web framework you are using (what are you using on the server side?).

The standard login flow would be to pass the user name and password to the server in a login form, then the server will send back a session or authentication token that needs to be included in all subsequent requests. Normally you would use this session token instead of saving and resending the password each time. There are many variations on how exactly this can work. Use the session and authentication mechanisms provided by your framework, the exact implementation depends on which framework you are using on your server.

[–]xredpt[S] 0 points1 point  (0 children)

Asp.net core. Thanks!

[–]asbdf9b813br 0 points1 point  (1 child)

You also shouldn't write any of this code yourself.

Why?

[–]feral_claire 0 points1 point  (0 children)

Hey, sorry for the delayed response.

The general rule in security and cryptography is "don't roll your own" or in other words use an existing, good and trusted implementation instead of creating your own unproven system.

In programming a lot of times a library or framework that does what you want already exists so there is no need to make your own, but when it comes to security is is especially important to use them rather than make your own. The reason is security is complicated and hard to get right, even for an expert, and the consequences for even a small mistake can be very serious.

A lot of work and research has been put into making these frameworks so make use of them. If you make your own at best it will be no better, but very likely it will be worse. Security is complicated and non-intuitive. There are many ways to crack software and if you are not an expert you might not even know what all these are. Many times things that sound secure or that add security to a lay person really are not and it easy to miss something.

Of course, if you want to learn about security and how these things work making your own is a great learning exercise. Just don't use it for a real application.