Introduction
- Storing password for users is an essential part of any application which provides access user access to the application. Storing passwords securely becomes very crucial to protect user’s sensitive information.
Ways to store passwords
There are many ways to store passwords.
- Storing them as plain text. This is least secure.
- Hashing the password: In this we would hash the plain-text password with a hashing algorithm which generates a random irreversible string that can be store.
- Using salt: A salt is random string that is appended to the password before hashing. This prevents attacker from using precomputed rainbow tables to crack the hashed password.
Store a password
- The password is provided by the client during sign-up.
- A salt is appended to the password. The salt is stored as plain text in the database.
-
The combination of password and salt is hashed with a hashing function and stored in the database.
Validate a password
- User enters the password to be validated.
- The combination of the password and salt is hashed, say H1.
- The previously stored hash of password and salt, say H2, is retrieved from the database and is compared with the H1.
- If H1 is equal to H2, then the password is valid. Otherwise it is not.
