Google+

Webmail

Rob's Blog

My blog will range from helpful hints for the home user, through to the results of various research projects, beneficial for professionals and developers.

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Team Blogs
    Team Blogs Find your favorite team blogs here.
  • Login

The Importance of Password Security - FOR DEVELOPERS

Posted by on in Staying Safe on the Internet
  • Font size: Larger Smaller
  • Hits: 2152
After covering what makes for a good password in my previous post, it is important for developers to understand the equal importance of storing passwords securely. Whether you have designed an email service, web application or even operating system, it is essential that you store your passwords securely and specifically NOT AS PLAIN TEXT!! It is not enough to simply rely on your website security either, so any passwords in your database need to be encrypted somehow.

The problem with plain text:

No matter how much protection you have on the storage of your databases, there are always ways to obtain the data they hold, including social engineering and even a disgruntled employee as well as more complicated 'hacking' methods. You may think this is fine for your Mongolian throat singing appreciation website, which only has 3 members, where the most damage that could be done is an obscene post on the message board. However the greater issue is people reusing passwords, especially in this world of credential based services. The ever relevant web comic 'XKCD' demonstrates the malicious potential of password reuse.


So I should hash the password right? Not exactly..

Sure, anything is better than plain text, so using an md5 or SHA hash is an option. However these methods are only slightly more secure. Firstly, md5 CAN be decrypted, it was built to encrypt quickly and as such can be decrypted relatively quickly. Using a combination of methods to hash a password will make it harder to decrypt, but is not particularly good practice.

Benefits of salting passwords:

Sadly this is not as flavoursome as it sounds and simply means adding an unique arbitrary string to the beginning or end of the password before it is hashed or encrypted. This way the hash will be different to what the password is. And by knowing the salt, the password never needs to be stored unencrypted at all.
For bonus points, make it a randomly generated salt.
For even more security, have an unique salt for every user that changes every time they successfully login.

The solution:

The best method of storing passwords is using pre-existing encryption modules, such as Bcrypt or SHA-2, which exist for most if not all programming languages. Salts can and should still be used with these. It is also wise to stay up to date with encryption news as the best methods are always changing.
Last modified on
I finished school in 2012 and went straight to work with Genisyst. I am still learning the ropes of the business and the technical side of everything we have to offer, but at the same time, I am researching new and innovative products and systems we can implement with our own.