Handle Passwords Securely: Storage
July 1st, 2008 | Published in Security
Handle Passwords Securely: Storage
Computer systems in general and your web application especially, never store passwords in plain-text. This is a very basic concept - if you don’t quite grasp the reason behind not storing passwords as plain-text I’ll take the stance of security expert Matasano Chargen and advise you to use someone else’s security system (Redux, for instance). I’m sure we are all aware of the fact we should not be storing passwords at all; rather, we should be storing a hashed string representing that password. By hashing the password, we theoretically create a one-way encryption mechanism whereby the original password can not be restored. We then validate users by using the same hashing algorithm on their input and check if the two hash strings match.
Hashing is not the complete answer, worth reading on…
(Via MichaelWales.com.)
