In the world of developing digital technologies, a secure password has become something that is not less important than one’s ID card, or any other document. This is the warranty of safe Internet life. Some people treat password creation and storage not seriously, which results into mortifying experience: account hacking or stealing of money from bank cards. How to avoid such situations? Learn to store the passwords securely and smartly.
If you decide just to store them in a database, mind that they should not be easily recoverable from there – encrypt them, and keep the decryption key on some other server. Make sure that database does not give hints about the length of the password. Either identical, or similar passwords should have different hashes.
Hashing alone seems to be secure at the first glance: all hashes are the same length, which does not reveal any information about password size, and its content. But the problem is that several popular algorithms are used for hashing (MD5, SHA-1 and SHA-256), and hackers may pre-calculate a set of passwords. If the computed hash is the same as the stored hash, an adversary will login and get access to your account.
To avoid having the same hashes (if your passwords for several sites match), you should “add salt”. This is an additional data that is mixed with original hash. It is also called “nonce” (a blending from “number used once”). This is a random string of bytes that is usually put before hash string. Salt is not an encryption key, and it can be stored in a database together with username, preventing users with the same password from getting the same hashes. Since there are usually 16 bytes of salt or more, the chance of such occasion are almost equal to zero.
So, we have ensured non-reversibility, no hashes repetition and have deprived hackers of any hints about password length. Is it safe enough? Not yet. Modern hash-cracking servers can generate 100,000,000,000 or more passwords in a second, so the last thing you may do is to slow hacker’s task completing down. Run your password hashing algorithm as a loop with thousands of individual hash calculations. That won’t defend you completely, but it will decrease the rate at which an adversary can perform an offline attack. Thus, the safety of your account is in direct proportion to the number of iterations chosen. As far as computing power of hackers is increasing, you may double the number of iterations every year, too.