Credentials, which include usernames and passwords, are prime targets for hackers because they provide the gateway to valuable personal data and accounts. If your web application stores passwords in a database, it’s essential to follow best practices to secure them, minimizing the risk of exposing sensitive user information.
This article will guide you through key methods, such as encryption, hashing, salting, and peppering, that help protect passwords.
The first and most crucial rule of storing passwords securely is: never store passwords in plain text. Plain text passwords are unencrypted and can be easily accessed if a database is breached.
Hashing
Instead of storing passwords in plain text, you should use hashing. Hashing is a one-way encryption algorithm that converts the password into a fixed-length string of characters. Once hashed, the password cannot be reversed or decrypted back into its original form, making it much more difficult for attackers to retrieve the user’s actual password.
When a user logs in, your application hashes the password they enter and compares it with the stored hash. If the values match, the user’s password is correct.
Salting Passwords for Extra Security
Hashing alone isn’t enough. To further enhance security, you should salt your passwords. Salting involves adding a unique, random string (the salt) to each password before it is hashed. You can use the same salt for each password you store or, better, generate a new one for each password and store it alongside the password.
Salts make it much harder for attackers to use precomputed tables of common password hashes, known as rainbow tables ( look up table), to crack passwords. These tables contain hash values for common passwords and their corresponding plaintext values, which an attacker can use to quickly reverse-engineer hashes.
With salted passwords, an attacker has to resort to brute-forcing passwords — trying common passwords one at a time and checking them against the hash value.
Peppering
While salting helps protect against rainbow table attacks, it’s not foolproof. One additional layer of security is peppering. Peppering involves adding a secret value (the pepper) to the password before hashing, in addition to the salt. The key difference between a salt and a pepper is that the pepper is not stored in the database. It’s kept securely on the server side.
By combining salting and peppering, you make it even harder for attackers to break into your system. While salts are unique for each password and can be stored with the hash, the pepper remains secret, making it harder for an attacker to break the password hashes if they get access to the database. Even if an attacker has access to the database (salt + hash), they cannot easily compute the correct password hashes without knowing the pepper.
Implementing these practices ensures that, even if your database is compromised, the attacker won’t easily recover users’ passwords. Always prioritize security, as it’s an ongoing challenge that evolves as attackers develop new tactics.
Stay tuned for upcoming articles where we will explore more best practices for writing secure code.
If you enjoyed this, please give it some claps to help it reach more people. For more stories like this, follow me.
Disclaimer: This is my personal blog. The opinions expressed in this blogpost are my own & do not necessarily represent the opinions, beliefs or viewpoints of my current or any previous employers.
