Security on Login whats the best practices

Question

Everywhere i have looked at login's and how to deal with them, or tutorials is just showing me compare to plain text.

I know never to store a plain text password in the database.
I am just asking if there is any material i can read or look at that has a general standardized way of storing password at a semi-commercial level.

I'm asking due to creating a application myself, and wish to have good security practices from the start, so as to improve on them further in my IT life.
Things i am assuming

1. Encrypt the password and store it
2. Upon logging in Encypt the password and compare the two.
   

I just want to further my knowledge for a more commercial level login system, instead of learning about plain text logins.. Any sources would be much appreciated.

Answer 1

This is a very good read: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

In general you are going to usually want to store your passwords as a "salted hash". Then you accept their password, run it through your hash function (I use bcrypt) and compare the two.

Also another little detail to note that some people do not think about is the messages you are returning to your users. For example: If someone submits the credentials {user1, mypassword} and either of those credentials are incorrect, you should return "user/password combination invalid" instead of giving a specific message as "password incorrect" which would reveal that they are attempting against an existing account. Never give more information than needed.

This question will be useful as well: How to securely hash passwords?