I have an application running locally and to access the application, a user has to login using a user name and password. At the time of login, the provided password is hashed and compared to exiting hashed password.
The application uses a database and stores users credentials in a users table. The users table has columns to store user id, user name and one way hashed password for users.
The application hashes user passwords at time of user creation or change of password by the users. The hashing returns different hashes for two users with same password. The hashed password is stored within the table together with the number of iterations (generated randomly) used to hash the password. Example: 2CF7C.ABLK/hrjy...zCOI5A=
One weakness I have found is that if the database gets compromised by an existing user, that user can update another user's password with their own password. The malicious user can then use credentials of compromised user to access the application.
In mitigation of the weakness, I intend to hash the either user id, user name or both and store them together with the password. At login, a check is made of the hashed user id and password and if they don't match, the login fails.
Is there a better alternative of how to handle this weakness?