Beat hackers at their own game: Part 2

Pinterest Engineering
9 min readintermediate
--
View Original

Overview

This article discusses effective strategies for password storage to enhance security against hacking attempts. It emphasizes the importance of using strong hashing methods and avoiding common pitfalls in password management.

What You'll Learn

1

How to implement a secure password storage system using Bcrypt

2

Why using a 1-way slow hash with salt is essential for password security

3

How to convert existing password storage systems to Bcrypt efficiently

Prerequisites & Requirements

  • Understanding of cryptographic hashing and password security principles

Key Questions Answered

What are the requirements for a good password storage system?
A good password storage system should allow users to authenticate with a unique identifier and a plaintext password while maximizing the difficulty of password recovery. It should never allow recovery of the exact password used.
What are the common ways passwords are stored incorrectly?
Common incorrect storage methods include plaintext storage, 1-way cryptographical hashes like MD5 and SHA1, and 2-way encryption. Each of these methods has vulnerabilities that can lead to password recovery by attackers.
How does Bcrypt enhance password security?
Bcrypt enhances password security by using a slow hashing algorithm combined with a salt, making it significantly harder for attackers to use precomputed rainbow tables or brute force methods to crack passwords.
How can I convert my existing password storage to Bcrypt?
To convert existing password storage to Bcrypt, you can hash the existing passwords using SHA-1 and then rehash them with Bcrypt upon user login. This allows for gradual migration without forcing users to reset their passwords immediately.

Technologies & Tools

Backend
Bcrypt
Used for securely hashing passwords to protect user credentials.

Key Actionable Insights

1
Implement Bcrypt for password storage to enhance security against attacks.
Using Bcrypt ensures that passwords are hashed securely and are resistant to brute force attacks, making it a vital practice for any application handling user authentication.
2
Avoid storing passwords in plaintext or using weak hashing algorithms.
Storing passwords in plaintext is a critical security flaw. Instead, use strong hashing techniques to protect user credentials from being easily compromised.
3
Regularly review and update your password storage practices.
As computational power increases, older hashing methods may become vulnerable. Regularly updating your security practices helps safeguard against emerging threats.

Common Pitfalls

1
Storing passwords in plaintext or using weak hashing algorithms.
This practice exposes user credentials to attackers, making it easy for them to gain unauthorized access. Always use strong hashing methods and never store passwords in a recoverable format.
2
Failing to use salt in password hashing.
Without salt, identical passwords will produce the same hash, making it easier for attackers to crack multiple accounts. Always use unique salts for each password.

Related Concepts

Password Hashing
Cryptography
Security Best Practices