This site uses third-party cookies, learn more or accept
dark light

Storing Passwords - Web Security

Written by Max Pelic on

It seems like every week or so there's another data breach, and the problem often seems to insecurely stored data. It's crazy to me when I hear of another password breach because it's fairly easy to implement password hashing.

What is password hashing?

Password hashing is the method of using a secure one-way algorithm to convert a plain text password into a seemingly random string of characters.

If it's done right, a password that's been hashed will also include a random salt, which was added on to the password before it was hashed and is stored with the password to make it easy to verify a user's credentials.

When you add the salt onto a password, it prevents hackers who have accessed your database from using a rainbow table (a list of common passwords and their hashes) to figure what the passwords are.

What does it look like?

A hashed and salted password may be stored in a format like this: hash.salt, and is generated using a function like this:

1function secure_password($password){

2
3 $salt = generate_salt(); //generate a random salt for the password
4

5 return hashing_funcion($password . $salt) . '.' . $salt;
6
7}

In the above example, the generate_salt function would return a random string of letters and numbers, and the hashing_function would return a hashed version of the input string.

After hashing and salting a password, it's relatively simple to check if an entered password is correct, you can use something like this:

1function check_password($password, $hashed_password){

2
3 $password_parts = explode('.', $hashed_password);
4
5 $salt = $password_parts[1];
6
7 $hash = $password_parts[0];
8
9 return hashing_function($password . $salt) === $hash;
10
11}

The function above takes the user entered password and the hash to check it against. It splits the supplied hash into the hash portion and the salt, then it hashes the password with the salt and compares the result to the stored hash.

How to implement it

If you're using PHP, there are built-in functions to do this, password_hash and password_verify.

If you're using a different programming language, there's likely a password hashing function built in. If not, you can easily implement one by creating something like the functions I showed you before.

When you hash passwords, make sure to run it through a hashing algorithm multiple times, otherwise, it's really easy and fast for someone to use a brute-force method to figure out what the passwords are.

If you'd like to read more about password hashing, check out this link

Share this article:

Previous Article: Free Resources for Web Devs

Next Article: Pros and Cons of website builders