Store Passwords The Right Way | Web Security

It is 2019 and security is as important as it can be. Being a beginner web developer, there will come a point where you need to store user information like passwords. At first it may not seem like much but storing passwords in your database needs to be done right.

Many people use the same password for all their accounts because it is easier for them to remember but an extremely bad idea as cyber attacks like SQL Injection and Phishing can put sensitive user data at risk. This article is for newbie web developers to make them aware of how sensitive information should be stored in a safe and responsible manner.

Use Social Logins

One of the safest methods is to let the social media giants to handle the login procedure for you. Almost every other platform we use today has the option to login using Google or Facebook and such services. As a newbie, the best method to store password is not to store them at all.

To add social logins to your website, you need to use APIs of the respective services. What it does basically is send a request to the social network provider to confirm their identity.

Although it is unlikely, the only disadvantage of this method is that a person not using any of the services will not be able to use your platform.

Salting + Hashing

One of the most crucial things to remember about storing passwords, is that you should never store them in plain text. Some wrongly assume encrypting passwords is the answer, failing to realise that not only can the encrypted strings be reversed but it is also easy to guess the encryption key with some social engineering or brute force attacks. Encryption provides a bare minimum protection to sensitive information.

Salting and Hashing is a standard procedure of securing passwords in cases where you have to store the same in your database. However, you need to keep yourself updated as new problems lead to new security measures which in turn keep changing really fast.

What is Hashing?

Hashing is a one-way transformation of a password, that is, the password entered by the user changes into another string such that it cannot be traced back to the original password.

When the user is trying to login, the password entered by them is hashed and then the hashed string is matched with the string stored in your database. This way you will not have to store the original password.

An illustration showing passwords being hashed

Some of the common hashing methods used are MD5 and SHA1. Recently a few vulnerabilities have been discovered in MD5, and rainbow tables have been published which allow people to reverse MD5 hashes made without good salts. These functions are getting outdated hence are not always secure. You must always follow the current standard.

How Salting Saves the Day

As we stated, just Hashing the password is not secure enough today. This where salting comes in.

An illustration showing passwords being hashed with salt

Salting involves appending an absolutely unique string to the password before hashing it. This way the attacker trying to figure out the original password does not only have to work on reversing the hash but also guess the salt string. The idea is to use an absolutely unique string for every user. Be sure not to store them anywhere for complete secrecy.

It is your job as the web developer to choose a secure method to salt the password and develop a way to match the user’s password during login without storing the unique salt anywhere.

If you’re interested to read more about this topic, head over to Naked Security’s article: Serious Security: How to store your users’ passwords safely. Do comment below if you have any doubts! 😎