Storing Passwords

Thameera Senanayaka

Passwords are one of the most sensitive types of information

The importance of password storage

• Passwords maybe exfiltrated
• Operators may access passwords
• Passwords "at rest" maybe disclosed

Plain text storage

• Once disclosure happens, game over
• Violates compliance standards
• Stronger passwords get no advantage

Encryption

• Decryption!

Password hashing

Hashing with a salt

Hashing with a salt:

How to do it properly

• No salt reuse
• No short salts
• Don't invent algorithms yourself
  • md5(sha1(password))
• Always hash on the server-side
• Use a slow hash function (Key stretching)

Thank you!