Storing passwords

How to store passwords (of your website’s users), you wonder? There has never been a simpler question in website security, with such a straight forward answer:

Never-ever store passwords

Store hashes of your users’ passwords, never the passwords themselves. I don’t care if you plan on storing passwords in a file or in a database table, whether in plain-text (…yes, there have been cases, some notorious) or two-way encrypted. Forget all that. Just use good password hashes, always. Hashing is one-way encryption, meaning the result (hashed string) cannot ever be used to directly retrieve the original text, as opposed to two-way encryption, where the string can be decrypted back to the original, using the encryption key.

The main argument against this extremely healthy practice is the difficulty in recovering a lost password: you won’t be able to send the user his password in plain-text, because you cannot get it yourself (one way encryption, remember?). This is actually a good thing!

That’s all there is to it regarding password storage, really. Don’t waste your time and don’t risk your system’s security messing around with a  “better” solution, for the sake of convenience. Do yourself a favor, and simply accept the above as axiomatic.

Be the first to rate this article:


Leave a Reply

Your email address will not be published. Required fields are marked *

Allowed HTML tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Subscribe to article comments   Subscribe to all comments