Mike Mead

Storing Passwords Securely With A Pinch Of Salt

Written by Mike

Jun 11, 2014

Security

Storing Passwords Securely With A Pinch Of Salt

I'm sure we can all agree that storing passwords in plain text, in a database is a very bad idea. So, how should you store them? Encrypted or hashed? What does adding a salt do?

Salt

Encryption

Some might decide to encrypt the stored passwords to secure them, but in reality (as you are still storing the password in some form) all this does is add a little inconvenience for someone attempting to disclose the passwords stored in your database.

Here's a diagram demonstrating the use of encryption:

Encryption

Using the analogy of a safe:

The password is stored in a safe (encrypted) with a key or code (encryption key) and the safe is then stored in the database. This is a two-way process. If the database is compromised then someone has access to the safe (encrypted password) and all that is required is the key or code (encryption key) to unlock it (decrypt). The key could be brute forced or might be found within your application. Not good.

Hashing

Instead of encrypting the passwords they are passed through a hashing function and only the digest (which is like a fingerprint) is stored in the database - not the password itself. This is a one-way process and is practically impossible to reverse. If the database is compromised then there is no way to gain the password from the digest.

Demonstration of the use of a hashing function:

Hashing

Although much better than encryption this method of securing a password still has it's flaws. Comparing a table of password digests against a rainbow table (precomputed table of digests) it is possible to figure out at least some of the passwords.

Add a Salt

We can build on securing passwords with hash functions by introducing a unique salt to the hashing process. A salt is a randomly generated string that is added to the password before it is hashed to render a rainbow table useless.

Addition of a salt:

Hashing Salt

Two important points:

  • Use a long and unique salt for every password
  • The salt can be stored along with the password

Conclusion:

There's no need to reinvent the wheel when it comes to secure password storage and there are plenty of good articles and resources to be found on practical implementations.

Never store passwords in plain text or even encrypted. Always use a hashing function with a long, unique salt for each password.

See Also:

Salted Password Hashing

Video - Don't Encrypt Passwords

Wikipedia - Encryption

Wikipedia - Cryptographic Hash Functions

Wikipedia - Rainbow Tables

Wikipedia - Salt

comments powered by Disqus
  • Contact