Hi I've been doing some research regarding password security and after reading several topics and the Kerckhoffs principle, I came up with what I believe is a really secure system regarding online security:
An offline/local encryption/hashing server. Imagine this an user register himself on the website but instead of the current site hashing and storing the password.
The site sends an request to the hashing server (which contains the hashing algorith and the salt). Im have not quite figured out the most secury way of communication between servers just yet.
The hashing server then responds with the hashed password which the site then stores in the database. This way even if the hacker knows the system depending on how you configured the hashing server (I am also lacking a bit of information about configuring servers) the hacker wont be able to figure out your hashing/salt.
I would appreciate any feedback or critisisim regarding my so called 'system'
Aucun commentaire:
Enregistrer un commentaire