Securely Storing Passwords in IT Development
→ In this article we will learn the way we should store passwords
→ One of the most common ways you might have heard is Hashing
Hashing:
→ It is an irreversible step
→ The most famous one is SHA-256
→ Let us now understand from the Developer/User perspective
Understand the Problem:
→ There is one beautiful editor for seeing values of hash. Check here
→ Every time we will put 123456 we 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
as output
→ Copy and paste this SHA value somewhere in notepad.
→ Let us retry some other password eg. hello
→ We get a different hash.
→ If we retry 123456 as the password and search the previously copied hash, we get exact same hash.
Conclusion:
→ Every specific text gives a specific SHA value
Hackers/Attackers Point of View:
→ Now the attacker has something called a rainbow table. You will not believe it, there they have text and their respective SHA stored.
→ Now based on the algorithm values are stored.
→ Hence it is advised not to store common passwords.
→ Think instead of Amazon or Flipkart account your Credit card password is compromised. Therefore storing strong passwords is important.
→ To fix this: the answer is Salt
Salt:
→ Password salting is a technique to protect passwords stored in databases by adding a string of 32 or more characters and then hashing them
→ Simply we append a random string along with the password:
xxxxxx_<password>
eg1: xxxxxx_123456
eg2: akjhasd_123456
eg3: P*^XKja_123456
→ So every time with salt our SHA value changes and the attacker’s rainbow technique is compromised
→ Our application is safe.
Extreme Secure:
→ Now to make your application even more secure — what we can do is use salt per user or even per password.
→ That will make our system pretty much impossible to compromise .
→ Breaches in the database will not be helpful to attackers.
For Developers:
→ Luckily we need not code much for this. There are great trusted libraries/SDKs available.
→ For Javascript there is bcrypt.
Eg: from the package:
const bcrypt = require('bcrypt');
const saltRounds = 10;
const myPlaintextPassword = 's0/\/\P4$$w0rD';
const someOtherPlaintextPassword = 'not_bacon';
// Technique 1 (generate a salt and hash on separate function calls):
bcrypt.genSalt(saltRounds, function(err, salt) {
bcrypt.hash(myPlaintextPassword, salt, function(err, hash) {
// Store hash in your password DB.
});
});
// Technique 2 (auto-gen a salt and hash):
bcrypt.hash(myPlaintextPassword, saltRounds, function(err, hash) {
// Store hash in your password DB.
});
→ Bcrypt SDK is also available in Java, Python, Ruby, R, and C#.
→ If you are in a different programming language, try searching your SDK library.
Conclusion:
Secure password storage is essential in any application. With the high number of application attacks these days securing is important.
Developers should use hashing and password salt techniques to improve the security of their applications.
Thank you for reading till the end 🙌 . If you enjoyed this article or learned something new, support me by clicking the share button below to reach more people and/or subscribe Happy Learnings !! to see some other tips, articles, and things I learn about and share there.