Password Storage

Terence_Bezman
December 19, 2018

Password Storage


Password storage has been a discussion point for decades and there are always pros and cons to each way of storage.


Encryption


This is the least secure way to store your user's passwords. Encryption as basic as possible is you can go from a to b and from b to a with a password. If you didn't already notice the security flaw here, it's that if we wanted to, we could easily try to brute-force a password with a bunch of keys until we got plain text back. Encryption is much more complex than just change character to some other character, but we'll skip that to save time.


Hashing


Hashing is a much more secure way of storing your user's passwords. Hashing is a way to go from a to b, the catch here is that once you've gone from a to b, you can't go back to a. This is much more secure than encryption because the hypothetical hacker could not just try to brute-force the hashed value back to the original password. Think of it like algebra, the hashed value is just the number 4. We have no idea how we got the number 4, it could have been 1 + 3, 5 - 1. There is no way to tell how we got the hashed value. There is a security flaw here but it isn't nearly as obvious as the encryption security flaw. The flaw with hashing is that a hacker could have a pre-computed Rainbow Table (https://en.wikipedia.org/wiki/Rainbow_table). The hacker could then use this Rainbow Table to check if a user's password is the same as one in the Rainbow Table. The other big flaw with hashing is that two users could end up having the same password value. The hacker could use this data to see whose passwords are the same. There is a very simple solution to this problem although not apparent from the beginning.


Salt


Salt is the solution to the Rainbow Table problem and two users having the same passwords. When a user signs up and you hash the user's password, add what's called salt as a prefix to the password value. Salt is just a randomly generated piece of data used to make sure two passwords aren't the same in the database. So to utilize this, add the salt to the beginning of the password and add a separator between the salt and the password so you can identify it when making sure the user's login information is valid.


Conclusion


To sum this up, encryption is a no no! Hashing is okay, but why not go the extra mile of adding some salt to the value. There are more secure ways to do password storage, but Hash + Salt is what I think a nice balance between complexity and simplicity.