Storing Passwords
Thameera Senanayaka
Passwords are one of the most sensitive types of information
The importance of password storage
Passwords maybe exfiltrated
Operators may access passwords
Passwords "at rest" maybe disclosed
Plain text storage
Once disclosure happens, game over
Violates compliance standards
Stronger passwords get no advantage
Encryption
Decryption!
Password hashing
Plain text
Hashing
algorithm
Hash
Hashing with a salt
Plain text
Hashing
algorithm
Hash
+
Salt
Add a
salt
Hashing with a salt:
How to do it properly
No salt reuse
No short salts
Don't invent algorithms yourself
md5(sha1(password))
Always hash on the server-side
Use a slow hash function (Key stretching)
Thank you!
Made with Slides.com