Hi all,
Has anyone previously stored passwords for their users in the EventStore (not in plain text(!)) and if so what strategies have they used for doing so?
Or is storing passwords in any form in the EventStore not a good idea under any circumstances?
Kind regards,
Mark
Same advice applies here as in any situation. Don’t do it; delegate this to an external identity provider if at all possible. That being said, if you absolutely have to, see the following articles (assuming .net here):
https://crackstation.net/hashing-security.htm
https://lockmedown.com/hash-right-implementing-pbkdf2-net/
Ultimately, what you need to do is generate a random salt for each new user using RNGCryptoServiceProvider. With that salt, hash the password using Rfc2898DeriveBytes. Then store the hashed password, along with the salt in your database. Pay special attention to the slowEquals implementation!
EventStore itself stores passwords in EventStore for user accounts.
You can treat a stream like a KV (only read last). Follow general
guidelines for any storage of passwords (eg hashing)