Storing Passwords

Thameera Senanayaka

Passwords are one of the most sensitive types of information

The importance of password storage

  • Passwords maybe exfiltrated
  • Operators may access passwords
  • Passwords "at rest" maybe disclosed

Plain text storage

  • Once disclosure happens, game over
  • Violates compliance standards
  • Stronger passwords get no advantage

Encryption

  • Decryption!

Password hashing

Plain text

Hashing

algorithm

Hash

Hashing with a salt

Plain text

Hashing

algorithm

Hash

+

Salt

Add a

salt

Hashing with a salt:

How to do it properly

  • No salt reuse
  • No short salts
  • Don't invent algorithms yourself
    • md5(sha1(password))
  • Always hash on the server-side
  • Use a slow hash function (Key stretching)

Thank you!

Made with Slides.com