Whenever you make an application which requires a login, you need to store the passwords of the users. Passwords are important because they have the ability to give someone full access to a user account. Hence, it is very important how you manage passwords- sending them through requests, storing them and retrieving them. In this post, we will talk about the different techniques of storing passwords.
Cleartext
The most obvious method is to store them as cleartext in the database. When a user tries to login, you just compare the simple text and decide whether the user provided the correct password. You might not realize the security risks of this one until you are hacked. In fact, in 2011, Sony was hacked and the details of users including their cleartext passwords were released. Soon thereafter, Yahoo was breached and the user data of thousands of people were put online. Clearly, these big companies were doing a big mistake storing passwords as cleartext. A simple google search shows that many such companies like GoDaddy or Starbucks still store passwords in plain text.
Using a hash
The very basic way of securing passwords is to store them after going through a hash function. A hash function is an algorithm that maps certain data (in this case, strings which are passwords) to an arbitrary string of a fixed length. The output of this kind of a function is called a hash. Two very common hashing algorithms are md5 and sha1.
Both md5 and sha1 has your strings very quickly and return hexadecimal strings that mean gibberish in general. However, once a string has been hashed (which is a very fast process), there is no way of getting back the input. The only way to get the input is through brute force. Hash functions are basically one way functions. They generate a string which is unique to the input.
We basically store the hashed values of passwords in the database, and every time a password is provided, we take the hash and compare it to the value in the database. This way, we never have to convert the hash back to the original input!
Security concerns of using a hash
Although hashing it might seem like a good idea, it has its own flaws. The hashing functions are designed to be very fast. With modern computing power, it has become relatively easy to “guess” passwords by using brute force. Unless your password is very long with uppercase and lowercase characters, numbers and special characters, it can be guessed if the database has been compromised!
In addition to that, the hashes of common words are available online. This means that a simple google search can reveal what your original input was. For instance, the md5 hash of the word “hello” is “5d41402abc4b2a76b9719d911017c592”. If you perform a Google search with the hashed string, you can easily find out sources which tell you the input. In fact, there are many tools online to find our md5 reverse strings of common words.
Another issue with a simple hash is idempotency. If one person’s password is cracked, it implies that if someone else has the same hash, one also has necessarily the same password!
Using a salt and then hash
A salt is a string that is applied to the input, which helps avoid the security concern highlighted above. This prevents an attacker from comparing the output with pre-determined hashed values and their corresponding inputs. A salt makes your hash very difficult to break and provides a layer of added security.
How then do you store the salt?
The best way to store a salt is to generate it in run time and append or prepend it to your hashed value. An example of how a result is returned by PHP’s password_hash() function is as shown below.
Source: php.net
Conclusion
Now that we have discussed the various ways of storing passwords, what should you follow? It is evident that you must add randomly generated salts to your passwords before hashing them. In addition to that, you must also encourage your users to use strong passwords, so that, even if your system breaks, their data is secure.
We hope that this post helped you in enhancing the security of your application. If you have any queries, feel free to comment below!
By Team FileCloud