[This week’s blog comes from Sujinthan Satkunarajah, one of our C# Programmer Analysts.]
To protect your organization and its users with password security, there are many ways you can store their passwords in your database. These are four options:
Option 1 – Storing passwords in plain text
This is most unsafe method and is never recommended. Storing passwords in plain text offers the least, if not any, protection to your users. Once a hacker gains access to your database, they’ll retrieve every user’s password. Since some users use the same password for every one of their accounts, the hacker has access to everything.
Option 2 – Encrypting passwords
This method is more secure than Option 1, but not the best option. Encrypting is an algorithm that converts plain text passwords into random characters. When a user enters their password, the system uses a key code that was generated during the coding of the encryption process, to convert the user’s input and search for a match in the database. To decrypt these user passwords, hackers would need that key code to retrieve every user’s password.
Option 3 – Hashing passwords
This method is stronger than Option 2, but again, not the best option. Hashing is using a mathematical function to transform the password into random symbols and characters. When a user enters their password, the system searches for a match between the hashed user’s input with the hashed password in the database. When using the right function, hackers would need a few days to convert the random symbols and characters into the user’s password. The weakness of hashing is its inability to address the frequency of similar or same user passwords. Once a hacker converts one hashed password, then the hacker can use the same hash value to convert all hashed passwords that have similar or same values.
Option 4 – Hashing and salting passwords
This method is the best option. Before you hash the password, add salt – a fixed length of random values. Each password has its own unique salt that’s stored in plain text in the database. When a user enters their password, the user’s input is salted and hashed, which is then compared to the value stored in the database to identify a match. This method allows the hashed password to remain unique, meaning a hacker will only gain access to one user password, while other users sharing the same password aren’t affected.