I'm starting to write my first serious web application and am thinking about how to store username and password information. There are plenty of articles detailing how storing plain text passwords is a very bad idea, and salted encrypted passwords are the way to go. However, I can find very little about restricting access to the user data itself.
I'm thinking about a situation where my web app is compromised and an attacker can read any information from my database. Even if I store usernames with encrypted passwords, the attacker would be able to lift all the usernames from the database (but at least they wouldn't get the passwords). However, I could restrict access so even my app didn't have access to this data. I was thinking of preventing my database user from viewing the table with usernames and passwords. You could then give access either via a stored procedure which takes the username and password - returning true if a username with the password is found, or presenting a view of hashed usernames and passwords, so even if compromised the real usernames can't be found.
Given I'm new to this, and I've failed to find any articles recommending anything similar, I'm guessing I've missed something simple that makes the above ideas insecure.
Thanks.