How to store passwords safely in the database?
date
Mar 25, 2021
slug
how-to-store-passwords-safely-in-the-database
status
Published
tags
Website
security
system design
summary
Proin fringilla arcu in neque tincidunt, nec auctor quam interdum. Aenean sollicitudin viverra turpis, at fermentum quam scelerisque vitae. In aliquet velit mauris, a placerat massa laoreet in. Phasellus blandit, ex a maximus accumsan, neque urna egestas augue, quis aliquet ipsum magna eu neque.
type
Post
let’s take a look.
Thing NOT to do
- Internal traitor: Storing passwords in plain text is not good idea because anyone with internal access can see them.
- Storing password hashes directly is not sufficient because it is pruned to precomputation attacks, such as rainbow tables.
- To mitigate precomputation attacks, we salt the passwords.
What is salt?
According to OWASP guidelines, “a salt is a unique, randomly generated string that is added to each password as part of the hashing
process”
How to store password in DB?
𝐇𝐨𝐰 𝐭𝐨 𝐬𝐭𝐨𝐫𝐞 𝐚 𝐩𝐚𝐬𝐬𝐰𝐨𝐫𝐝 𝐚𝐧𝐝 𝐬𝐚𝐥𝐭?
1️⃣A salt is not meant to be secret and it can be stored in plain text in the database. It is used to ensure the hash result is unique to each
password.
2️⃣ The password can be stored in the database using the following
format: 𝘩𝘢𝘴𝘩( 𝘱𝘢𝘴𝘴𝘸𝘰𝘳𝘥 + 𝘴𝘢𝘭𝘵).
𝐇𝐨𝐰 𝐭𝐨 𝐯𝐚𝐥𝐢𝐝𝐚𝐭𝐞 𝐚 𝐩𝐚𝐬𝐬𝐰𝐨𝐫𝐝?
To validate a password, it can go through the following process:
1️⃣A client enters the password.
2️⃣The system fetches the corresponding salt from the database.
3. The system appends the salt to the password and hashes it. Let’s call the hashed value H1.
4️⃣The system compares H1 and H2, where H2 is the hash stored in the database. If they are the same, the password is valid.
Over to you: what other mechanisms can we use to ensure password safety?