Storing Passwords Securely With A Pinch Of Salt
I'm sure we can all agree that storing passwords in plain text, in a database is a very bad idea. So, how should you store them? Encrypted or hashed? What does adding a salt do?
Some might decide to encrypt the stored passwords to secure them, but in reality (as you are still storing the password in some form) all this does is add a little inconvenience for someone attempting to disclose the passwords stored in your database.
Here's a diagram demonstrating the use of encryption:
Using the analogy of a safe:
The password is stored in a safe (encrypted) with a key or code (encryption key) and the safe is then stored in the database. This is a two-way process. If the database is compromised then someone has access to the safe (encrypted password) and all that is required is the key or code (encryption key) to unlock it (decrypt). The key could be brute forced or might be found within your application. Not good.
Instead of encrypting the passwords they are passed through a hashing function and only the digest (which is like a fingerprint) is stored in the database - not the password itself. This is a one-way process and is practically impossible to reverse. If the database is compromised then there is no way to gain the password from the digest.
Demonstration of the use of a hashing function:
Although much better than encryption this method of securing a password still has it's flaws. Comparing a table of password digests against a rainbow table (precomputed table of digests) it is possible to figure out at least some of the passwords.
Add a Salt
We can build on securing passwords with hash functions by introducing a unique salt to the hashing process. A salt is a randomly generated string that is added to the password before it is hashed to render a rainbow table useless.
Addition of a salt:
Two important points:
- Use a long and unique salt for every password
- The salt can be stored along with the password
There's no need to reinvent the wheel when it comes to secure password storage and there are plenty of good articles and resources to be found on practical implementations.
Never store passwords in plain text or even encrypted. Always use a hashing function with a long, unique salt for each password.