How to store passwords safely in the database and how to validate a password?

"Things not to do

🔹 Storing passwords in plain text is not a good idea because anyone with internal access can see them.

🔹 Storing password hashes directly is not sufficient because it is pruned to precomputation attacks, such as rainbow tables.

🔹 To mitigate precomputation attacks, we salt the passwords.

What is salt?

According to OWASP guidelines, “a salt is a unique, randomly generated string that is added to each password as part of the hashing process”.

How to store password and salt?

1️⃣ A salt is not meant to be secret and it can be stored in plain text in the database. It is used to ensure the hash result is unique to each password.

2️⃣ The password can be stored in the database using the following format: hash(password + salt).

How to validate password?

To validate a password, it can go through the following process:

1️⃣ A client enters the password.

2️⃣ The system fetches the corresponding salt from the database.

3️⃣ The system appends the salt to the password and hashes it. Let’s call the hashed value H1.

4️⃣ The system compares H1 and H2, where H2 is the hash stored in the database. If they are the same, the password is valid. "

Author

ABN ASIA was founded by people with deep roots in academia, with work experience in the US, Holland, Hungary, Japan, South Korea, Singapore, and Vietnam. ABN Asia is where academy and technology meet opportunity. With our cutting-edge solutions and competent software development services, we're helping businesses level up and take on the global scene. Our commitment: Faster. Better. More reliable. In most cases: Cheaper as well.

Feel free to reach out to us whenever you require IT services, digital consulting, off-the-shelf software solutions, or if you'd like to send us requests for proposals (RFPs). You can contact us at contact@abnasia.org. We're ready to assist you with all your technology needs.

© ABN ASIA