These are chat archives for Automattic/mongoose

25th
Jul 2016
LeonineKing1199
@LeonineKing1199
Jul 25 2016 15:19
Aren't you supposed to salt first?

From wiki:

In cryptography, a salt is random data that is used as an additional input to a one-way function that "hashes" a password or passphrase. Salts are closely related to the concept of nonce. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks.

A new salt is randomly generated for each password. In a typical setting, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database. Hashing allows for later authentication while protecting the plaintext password in the event that the authentication data store is compromised.

I actually think that PHP's password_hash function will automatically salt your passwords for you.
Andre de Waard
@andredewaard
Jul 25 2016 15:25
@brandonjfajardo thanks! Think I will look into that to implement it in mine. Anybody has experience with a standalone rest API with authentication?
LeonineKing1199
@LeonineKing1199
Jul 25 2016 15:28
Just put your authorization string in the header and check it from there.
If you wanna do the whole salted password thing you can.
Or you can just give out to the user a securely generated authorization header.
I'd recommend reading every little bit of information you can though, security is tricky.
Most services I've ever used though just give out an API key
Some long string of random characters that would be a pain in the but to ever try and rememver
Andre de Waard
@andredewaard
Jul 25 2016 16:53
@LeonineKing1199 thanks for your tips. Will look into salt to hash the passwords.
Andre de Waard
@andredewaard
Jul 25 2016 20:49
@LeonineKing1199 I used this blog from mongodb to add user authentication: http://blog.mongodb.org/post/32866457221/password-authentication-with-mongoose-part-1
How should i save that a user is logged in to do calls to this standalone rest api?