Hacker News new | past | comments | ask | show | jobs | submit login

You can do the slow pbkdf2 hash on your webserver and use the result for your stored procedure to check the password. If the password column is only visible to the stored procedure you have used the best features of both systems.



No you can’t. To do the hash you need the per user salt before you start hashing. Which would require reading from the DB.


Then you can retrieve salt, do hash on server, and use the stored procedure to compare. More requests, but a tradeoff for security \o/


There is no reason you can‘t have a deterministic function which generates a hash for the user.

A simple sha256(lower(email)) is equally secure as a complete random salt, the only requirement on a salt is to be unique.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: