I was going through (https://crackstation.net/hashing-security.htm) about doing password hashing / storage the right way. I understood most of it but i still have some questions and doubts which are unclear.
I store the password hash (generated with the password and a random salt) along with the salt on the server. How is this linked to a particular user exactly ? So, if my database gets compromised (stolen) the attacker can get all passwords hashes and their corresponding salts. won't that lead to all passwords getting leaked since an attacker can run dictionary/brute force schemes since he has the salts too.
The article mentions HMAC with a secret key. this is pretty unclear to me ? what is the secret key ? how is it tied to each user ? i can login from any machine in the world, so how is the secret key tracked ? And again we have the same scenario as above if the database is compromised .
how does password sending from client to server work exactly. I understand the server first sends a random secret. the client appends this to the password and hashes it before send the hashed value. this till needs ssl , correct ? or is there a way to prevent MITM without ssl ?
so basically i am still unclear how exactly companies like google and apple manage user authentication ( except the 2 factor stuff )
thanks
