So, as I end up implementing whatever solution in som language anyway I'd like to have topic general.
My rather simple question is: Given a properly secured channel (TLS with DANE and a DNSSEC secured domain) how best implement a simple user registration?
I'm aware of concepts like hashing with salt or even use one-time--pad schemes. But as far as I'm aware there's that one initial step the users login credentials somehow has to be set initially.
One type I encounter on a daily basis is to use the users e-mail-address as ID, have the user request a one-time-use token send via e-mail (as there's no way to secure that I may would opt to not use it) and then set a new password by supply the e-mail-address, the one-time-token and the new password. To validate this the server then might check a few things like: comes the second request from the same remote IP the first one came, was the token already used, do the data match up - but this leads me to the question: How to transmit the password? Send it in plain as the channel is taken to be secure? Hash it already on the client and only transmit the hash? Re-use the token as salt?
Or to put it this way: How do I end up with something reproduceable in the database based on user input?
Thanks for any input in advance.
Why fit in when you were born to stand out? - Seuss. Tiny ad:
SKIP - a book about connecting industrious people with elderly land owners