Best practices for storing passwords securely in a database

A hacker can also read passwords if you can.

Antipattern: Don’t store passwords in plaintext

Cupid Media hack exposed 42m online dating passwords Link

Antipattern: Don’t store encrypted passwords

Antipattern: Real Threat of storing recoverable password

Hashing the password

The downside of this approach

Antipattern: Obsolete Hash Function

The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. In May 2016, LinkedIn discovered an additional 100 million email addresses and hashed passwords that claimed to be additional data from the same 2012 breach. Link

Recommended: Salting & Hashing the Password

The downside of this approach

Most Recommended: Salting and Hashing with Iteration Count

DK = PBKDF2(PRF, Password, Salt, c, dkLen)* PRF : pseudorandom function of two parameters with output length hLen (e.g., a keyed HMAC) 
* Password : master password from which a derived key is generated
* Salt : sequence of bits, known as a cryptographic salt
* c : number of iterations desired
* dkLen : desired bit-length of the derived key
* DK : generated derived key

Additional Security: Use of Pepper

Passwords Can Be Reset Instead of Recovered

But you can allow a user access in other ways.

Conclusion

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store