Passwords Storage in Database || Safety

aditya goel
4 min readJan 21, 2023

Question:- What’s the problem with storing the passwords in plaintext format ?

Answer → In case the attacker gets access to the password, then all of our customer’s data may get compromised.

  • Step 1 → Imagine the passwords are supplied & stored in plain-text format, while creating the account :-
  • Step 2 → The problem with this approach of saving the password into the database directly is that, any hacker OR even Employee can gain access to the password.

Other disadvantage of storing the clear text password is that, hacker can try this password at other sites as well :-

Question:- Explain, what does Hashing process means ?

Answer → As per the OWASP (Open Web Application Security Project) guidelines, Hashing is a one way process, where the encrypted password can’t be recovered back.

Question:- What are important properties of a HASHING function ?

Answer → Following are the properties of the HASHING function :-

  • Repeatable → If HASHING functions are used repeatedly, they would produce same results.
  • One Way → They are always a Single way i.e. actual value (i.e. password)can’t be generated back from the Hash.

Question:- What are the popular Hashing Algorithms and which one is more secure ?

Question:- Why do we need Salts ?

Answer → Though algorithms like BCrypt is a very strong & powerful way of one-way encrypting the text, but still this can be decrypted as well by pre-computation attacks. Therefore, we need Salts.

Question:- What are some commonly used attacks by the Attackers ?

Answer → Some common attacks are Rainbow Tables & DB Lookups. With this attacks, hackers can decrypt the passwords in seconds.

Question:- What is a Salt ?

Answer → Salt is a unique randomly generated string, that is added to each password, as a part of hashing process.

Question:- How does the forward process of storing the passwords is performed ?

Answer → Here are the steps followed in the process of storing the passwords.

  • First step → Client provides the password.
  • Second step → Then, salt is attached to that password. This Salt can be stored safely as the plain-text as well into the database.
  • Third step → Then, we generate the HASH by applying an appropriate Hashing Function.
  • Fourth step → Finally, this HASH can be saved into the DB now.

Question:- How does the reverse process of retrieving the passwords is performed ? Say, if some customer logs-in, then how do we check, if that password is matching or NOT ?

Answer → Here are the steps followed in the process of retrieving the passwords back.

  • First step → Client provides the password.
  • Second step → Then, we fetch the salt corresponding to this user from our database and is attached to this salt.
  • Third step → Then, we generate the HASH by applying an earlier adopted Hashing Function.
  • Fourth step → Finally, we perform a matching process, if the latest-generated HASH (in step 3) is same as that of HASH stored in the database for this user.
  • Fifth step → If both the HASH matches, then passwords is said to be matched, else not.

That’s all in the blog. If you liked reading it, do clap on this page. We shall see you in next document..

--

--

aditya goel

Software Engineer for Big Data distributed systems