How are Passwords Stored?
Introduction
Although I previously created a note-taking website with user registration: my-note, I forgot many concepts. I found a simple explanatory video: You’re Storing Passwords Wrong. Here’s The Fix - LearnThatStack, so I will record knowledge related to password storage.
Password Storage
Plain Text Storage
Storing user submissions directly in the database is a disaster waiting to happen. If passwords leak, there’s really no going back. Users often reuse the same passwords across multiple services, leading to even greater harm.
Hash Function
- A function that is only one-way input-output; it can go from password → hash, but is extremely difficult to go from hash → password.
- Fixed input, fixed output.
- A tiny change in input results in a drastically different output.
Imagine a meat grinder; once the data is minced, no one can revert it in a reasonable time and resource limit. However, if the same ingredients are put in, the same result will come out. This property can be used for identity verification; each time a user submits a password, it can be hashed and compared to the stored hash value. The hash value cannot be reversed back to password.
Rainbow Table
Common password hash combinations might be recorded, and in actual cracking, it only takes a lookup from the records to quickly crack the password. This lookup table is also known as a rainbow table.
Salting
To avoid rainbow table, as well as the issue of identical passwords producing identical hash values, we add “salt.” Salt is random data used to add before hashing, so the same password will yield completely different results.
SHA256
SHA256 is a secure and fast common hashing algorithm, but being “fast” in the context of password storage actually lowers the threshold for brute force attacks.
bcrypt
bcrypt is a hashing algorithm deliberately designed to be “slow,” which may cause the user to wait several hundred milliseconds during login, but it significantly raises the threshold for brute force attacks.