Login and Password Authentication

Original article: https://github.com/OpenIdentityPlatform/OpenAM/wiki/Login-and-Password-Authentication


The following article is intended for newbies, who want to develop authentication for their services. In the article, we will look at the most common authentication method - login and password authentication, its implementation, advantages, and disadvantages.

Authentication is an identity verification process. For software, authentication is used for verifying the identities of users or client applications. The most common way to authenticate users is login and password authentication.

User login could be public but the password should be only in the user’s memory (and not on a piece of paper under the keyboard or taped to the monitor!) and used for verification than login belongs to the only user who knows the password.


User identity data usually stored in a user database. And the only authentication system should have access to the database to minimize the risk of credentials leak.

Login in user database stored in plaintext to quick search for the user account. Password should be stored as its hash and never in plaintext. During authentication, the hash of the password entered by the user is calculated, compared with the value stored in the database and, if the values match, authentication is successful.

Password Hashing

To store a password in a database relatively secure, not the password itself is stored in the database, but password hash. The hash is calculated by the formula: password_hash = hash(password). To slow-down dictionary password attack, it is necessary to add so-called salt to password. Salt - is a random value, stored within the password hash. And password hash is calculated with function from password itself and hash password_hash = hash(password, salt). More information about salt in Wikipedia: Salt_(cryptography).

Database Authentication

Some databases support internal authentication. In this case, the database itself is responsible for login and password authentication. Authentication service sends authentication request with login and password to the database, and the database returns authentication result: whether it is successful or not. For example, such an approach uses Microsoft Active Directory.

Implementation Tips

Pros and Cons




Login and password authentication is the most common way to authenticate users, but it is also one of the most insecure, so it is recommended to use authentication without a password (login through social networks, biometrics, use of hardware security keys), or strengthen security by using the second authentication factor.