What are the steps of hashing password during registration and login to an application using salt and key?
Are the following steps considered correct if applied to an application?:
1- During registration:
- user insert password
- hashing function generates unique salt
- hashing function adds the salt to the password
- hashing function generates a unique key
- hashing function hashes the salted password with this key
- the password and the salt are sent to the application database
- the key is sent to another database
2- During login:
- user insert password
- the application returns the password of the inserted username with the salt and the key
- hashing function adds the retrieved salt to the entered password
- hashing function hashes the salted password with the retrieved key
- the application compares the two hashed password for the user (the one registered in the application database and the one inserted)
- if both password are the same then the login happens