How to store a password in database?
Last Updated :
13 Sep, 2023
Most of the web applications require their users to authenticate themselves by asking them username and password. They compare the user supplied credentials with the data stored in their database and if the credentials match, the user is granted access. Sounds good! But what will happen if the database in which the website is storing your passwords gets compromised?
This article covers various techniques of storing passwords in the database.
According to
naked security, 55% of the net users use the same password for most of the websites! It implies that if the website storing your password in plain text gets compromised, hacker is not only able to gain access of your account on that website but all your social media, email, forums etc accounts in which you are using the same password!
Well, many must be wondering that if the database is exposed to the hacker then what can be done? The hacker has access to all the information. WRONG!! There are many ways through which the process of retrieving password from the database can be made cumbersome for the hacker. Even then the developers tend to ignore the basic guidelines and store the passwords in plain text.There are over 30% websites which store your passwords in plain text (including some reputed sites also). If the website is storing your password in plain text then no matter how strong password you choose, you are not safe!
Storing plain text passwords in the database is a sin.
One might also think that if not plain text then we must encrypt the password and then store. It is also a terrible idea. Encryption functions provide one-one mapping between input and output and they are always reversible. If the hacker gets the key, he will be able to decrypt the passwords. The better way would be to use a one way cryptographic hash function. Hash function provides a many-one mapping between input and output and it is practically impossible to reverse a output. A good cryptographic hash function has lesser number of
Collisions (i.e for different input values to the function it is difficult to get the same output). Collisions cannot be completely avoided because of
pigeonhole principle. For hashing passwords we can assume that the hash function will generate unique output i.e for no two different passwords we will get a same hash value.
Some of the popular cryptographic hash functions are
MD5 and
SHA1. Instead of storing plain text password in the database one way is to store the hash of the password. You might be thinking that if we cannot get the actual password back from the hash then how are we going to verify the credentials that the user entered? It’s simple, apply the same hash function on the password which user entered and then compare it with the hash stored in the database. If both hashes match then the user is authenticated (since hash of same input will give same output). Now if the attacker is able to get database access, he will be only able to view the hashed output and not the actual password.
Using cryptographic hash function is better than storing plain text password.
Hackers are smart guys and once they came to know that developers are storing hashed passwords, they pre-computed hash of large number of words (from a popular word list or dictionary words). They created a table of words and their corresponding hashes. This table is known as
Rainbow Table and it is readily available online. They can use this table to reverse lookup the actual password by comparing the hashes obtained from the database. Hence it is very important to have a
strong password since the possibility of your password appearing in the word list becomes less.
Simply storing the hash of a password is not going to help anymore. Processing power has increased drastically with the introduction of GPUs and CUDA, OpenCL libraries. A fast GPU can generate millions of MD5/SHA1 hashes in one second. Hence a hacker can easily generate large number of hashes by brute-forcing various possible combinations and can compare it with the hashes stored in the database to extract the actual password.
Even hashed passwords are not secure! Surprised?
Don’t loose hope! There is still something that developers can do to keep your passwords away from prying eyes of the hackers. Make the passwords delicious by adding some salt to them! Yeah, right..! Add a
salt. A salt is random data that is concatenated with your password before sending it as the input of the hashing function.
For example :
If your password is
abc and the salt is
!ZaP0#8, the result of
hashFunction('abc!ZaP0#8') will be stored in the database instead of
hashFunction(‘abc’).
Hence the rainbow table attacks won’t be effective now as the probability that rainbow table contains hash of
‘abc!ZaP0#8’ is meager (because generally rainbow tables are constructed from common words, dictionary words etc). Salt is not stored in the database and only present in the application configuration file which is not accessible to outer world. Gaining access to the source files is difficult than gaining access to the database.
The above salting method is static. We have one fixed salt for all the passwords. To authenticate the user, first concatenate the fixed salt to the user supplied input (password) and then pass the value to the hashing function and compare it with the value stored in the database. However this approach is still vulnerable to brute-force and if the attacker is able to get the static salt he can use the old attack methodology by concatenating the salt in every word.
A better approach would be to use a dynamic salt. For each user a new salt is generated by cryptographically strong random string generator. The password entered by user is concatenated with a random generated salt as well as a static salt. The concatenated string is passed as the input of hashing function. The result obtained is stored in database. Dynamic salt is required to be stored in the database since it is different for different users. When the user is to be authenticated, first the value of dynamic salt for that user is fetched from the database, it is concatenated with user supplied input and the static salt. The result is compared with the hash stored in the database.
If the database is compromised the hacker will not only get your password hashes but also the dynamic salt used. You might be wondering then what is the advantage of dynamic salt over static salt if attacker has dynamic salt? Even if the attacker has dynamic salt he needs to create a new hash-table (or rainbow table) for each and every user present in the database (as per dynamic salt). This is a lot more expensive operation than creating just one table for all the users.
The above approach is quite good to slow down a hacker. However it is recommended to use algorithms like
bcrypt and
scrypt instead of MD5/SHA1. Bcrypt is a hashing algorithm based on Blowfish. It requires you to specify a cost/work factor. The work factor makes the overall process slower and hence time taken to generate hash-table would increase multiple times.
References :
https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/
Similar Reads
How to Generate Pattern Password in Android?
Pattern Password for the device is one of the necessities to keep our device private and protected. Nowadays in most apps, we get to see this password applied in many applications such as Mutual Funds or Stock Market apps to keep our financial details private. In this article, we are going to see ho
6 min read
How to Update User Password in Firebase and Web ?
In the previous article, we have done How to get a currently singed-in user in firebase, In this Article we will see how to update the user password. Firebase auth provides us a method called updatePassword that takes a string parameter as a new password. We can do it simply by passing the new passw
3 min read
How to Save and Manage Passwords with Edge?
Saving and managing passwords is essential for ensuring both security and convenience when browsing the web. In Microsoft Edge, you can easily save passwords in Edge and use the built-in Edge password manager to keep track of them. With features like Edge password autofill and password management in
4 min read
What Is Password Salting and How Does It Work?
When it comes to safeguarding sensitive information online, passwords play a crucial role. However, simply hashing passwords (transforming them into a fixed string of characters) is often not enough to thwart hackers, given the advancements in attack methods. This is where password salting comes int
7 min read
Tips For Choosing a Strong Password
Forgot your password?... Let’s reset with the whole concept. So what is your Password? PassWord PassssWord1 Paasword9876… or Names of favorite sports personalities, celebs, and even brands are used as passwords by so many people. And then random posts, messages, and comments from your account, getti
5 min read
How to View, Edit or Remove Passwords on Firefox?
If you often forget your login details and reset your password frequently, consider using Mozilla Firefox's feature to save your passwords. This way, you won't need to remember them every time you log in. This article will discuss how to save, view edit, or remove passwords using Mozilla Firefox's P
4 min read
How to Manage Saved Passwords on Firefox Android?
While working on the Web Browser, we often perform some confidential activities where along with the Username, we have to enter the Password. Nowadays, due to the security of your account, every platform is secured with a Password. To make the password easy to remember, the Firefox Browser comes up
3 min read
How to Create Strong Passwords that are Easy to Remember?
To keep hackers and cyberattacksYou must use secure passwords to keep hackers and cyberattacks out of your online accounts. Nevertheless, creating passwords that are both safe and simple to remember might be difficult. Thankfully, there are easy methods available to assist you with how to create str
8 min read
How to View and Manage Saved Passwords on Your iPhone?
Short Preview!Follow these steps to view and manage saved passwords on your iPhone: Open "Settings" on your iPhone.Scroll and tap "Passwords."Authenticate with Face ID, Touch ID, or passcode.Now, you can View and manage saved passwords, including website logins and app credentials.Modern websites an
4 min read
Flutter - Show/Hide Password in TextField
In this article, we will Implement how to show/hide the password in the Textfield. A sample video is given below to get an idea about what we are going to do in this article. Step by Step Implementation Step 1: Create a New Project in Android Studio To set up Flutter Development on Android Studio pl
3 min read