Touchstone Words


The Most Secure Way To Store A Password | Touchstone Words

Popular Articles

Sexual activity and body health
Do You Know If You Are Sexually Active
Biofuel, Biodiesel, Environment, Fuel, Fossil Fuel, Energy, biohydrogen, biomethanol, biohyrdrogen d
Pros and Cons of Biofuel Energy
Porn actors who go to Hollywood
From Porn performances to Hollywood
social and economical state of a country
Pros and cons of capitalism vs socialism
Perceptions and mind thinking
What are perceptions and how to manage them
Taylor Swift nightmare songs
Top Ten Worst Taylor Swift Songs Shared by her Fans
Blockchain Hyperledger family
Intro to Hyperledger Family and Hyperledger Blockchain Ecosystem
How to get right attitude woman
Why in dating and relationship, attitude matters
Blow job tips
Pros and Cons of Blow Jobs
Public sex
Best Places for Public Hookup

The Most Secure Way to Store a Password

By Shane Staret on 2018-02-13

No, I’m not talking about your own personal passwords. Rather, I am talking about passwords that your user’s may be using if they have an account on the website that you are running. We have all heard about the massive amount of data breaches that affect major companies every year. Sometimes millions of passwords are accidently compromised because of an error in how these passwords are actually stored. Today, we will be going over exactly how you should store a user’s password in order to minimize the risk of it being discovered by an external user.


Any reasonable web developer would use some kind of database management system to store the passwords of their users. They might set up a table called “user information” that has two columns, “username” and “password”. So, when a person wants to create a brand new account, a new row is created in the table. Once this new user enters in what they want their username and password to be, the database will store it. Of course, maybe the developer’s website has specific criteria for what constitutes an appropriate username or password and, of course, no two usernames can be identical. But do you see a problem with storing passwords in this kind of manner? Think about if for a couple seconds, because it should be rather obvious. The answer is that there is no kind of encryption whatsoever. The password is just stored in the database looking something like this:

Usernames

Passwords

heyyall

password1

bSya

^34543sdgG

That means that if there is any security breach of the database, the hacker literally has a complete list of every single username and their password. Not only does this mean that the hacker can easily infiltrate anybody’s account on your website, but it also might mean that you just gave away someone’s username and password for their bank account or credit card account as well, since people are dumb and like to reuse important usernames/passwords.

So someone a little more adept at web development might come along and tell this web developer that he is doing it all wrong. He needs to have some form of encryption where the password (and sometimes even the username) is run through some kind of algorithm that changes what the password looks like. Then, a key is kept that can be used to decrypt the algorithm.  So for example, if the above table used an encryption algorithm that turned all “s” characters into “^” characters and all “^” characters into “Q” characters then you may have something like this:

Usernames

Passwords

heyyall

pa^^word1

bSya

Q34543^dgG

Of course, this is slightly more secure because a hacker cannot immediately see the actual passwords. Also, the encryption algorithm would likely be more much complex than this, but this is just an example to show the basics of how it would work. The problem with this approach is that passwords that repeat will look identical as well after they are encrypted and that once the key is figured out, then all passwords are compromised again.

So, what is the correct way to do it? Well encryption actually is not used at all. Rather something called hashing is used. With encryption, an unencrypted string is fed through an algorithm, effectively encrypting it. Then the encryption key can be used to decrypt the string and see the original string. However, this is not possible with hashing. With a hashing algorithm, a string is input, then a modified string is output and after the hashing algorithm has been performed, there is no way to tell what the string initially was. Well, at least that’s the idea. Certain hashing algorithms, like MD5, have been found to have vulnerabilities. People have published hashing outputs for common passwords all over the internet, meaning that even if a developer uses a hashing algorithm to effectively store passwords, a hacker can look up the hashing output stored in the “Passwords” column and they may be able to find what the original string was. This might be an example of a database that uses MD5 to store passwords:

Usernames

Passwords

heyyall

7c6a180b36896a0a8c02787eeafb0e4c

bSya

ed124669f85be63619b63adf28993f3c

But not only have popular hashing functions been compromised in the past, but they also are not perfect for similar reasons when compared to encryption. Probably the weakest component is that identical passwords still generate identical hash outputs. Meaning that even if a hacker has no idea what the password actually is, he will know that two users have identical passwords. If one hash output keeps showing up, it might mean that it is a rather common password, which means that they may try extremely common passwords on just one account, and if it works, then he has the password for the hundreds of other usernames that used the same popular password.

So, a common approach that has been developed recently is to use a combination of hashing and random number generation in order to properly store passwords. This is popularly referred to as hashing and salting. So, say you want the password “goldfish”. A regular hash function, like MD5 may return a hash output of “861836f13e3d627dfa375bdb8389214e”. However, this is where the salting comes in. Instead of inputting “goldfish” into the hashing function, it may append a random string of characters at the end of the initial password. So now something like “goldfish432342394dfasdjklpiasdklf234” may be input into MD5, to return “c91b00f7a74633a9ec2c3f8cbf37fac3”. The idea is that even if a password is used by multiple users, a different hash output will be stored because the random string attached to the password before going into the hashing function will always be different. The method used to generate the random string may be completely separated from the database, meaning a hacker cannot just access passwords by infiltrating the database.

While the hashing and salting approach certainly is not perfect, it is the most secure way of storing user passwords that has been developed as of 2018. So please, don’t be like Pearson and store all your users’ passwords in plain-text. Please.

Article Comments

By Same Author

why GitHub matters
Why You Should Use GitHub
Learn about Google glass
Where is Google Glass Now
Cyber attacks via backdoors
Why Backdoors Are A Necessary Evil
what is GPU and CPU
The Differences Between a GPU and a CPU
How coding works
What is Programming and How Does it Work
How Planned Obsolescence works
Technology and the Growing Popularity of Planned Obsolescence
How technology can help environmental sustainability
Technology and Environmental Sustainability
Learn about anti-virus
How do Antivirus Programs Detect Issues
How baseball and math are related
How Math and Baseball Are Connected
How technology may go backward
Could Technology Possibly Regress

Affiliated Companies

Disclaimers And Things

Copyright © WEG2G, All Rights Reserved
Designed & Developed by DC Web Makers