Secure Password Storage

12 min readMar 5, 2024

Introduction

In our digital age, the security of personal and organizational data hinges significantly on how we store passwords. With cyber-attacks becoming more sophisticated, the old ways of storing passwords just don’t cut it anymore. This guide dives into the best practices for password storage, blending insights from leading sources with practical advice to keep data safe.

Understanding Password Storage

Basics of Password Storage

Long gone are the days when storing passwords in plain text was common practice. This method is akin to leaving your house keys under the doormat; it’s only a matter of time before someone finds them. Instead, secure password storage involves techniques like hashing, where passwords are transformed into a fixed-size string of characters, which is nearly impossible to reverse-engineer (YouTube, 2023; OWASP, 2021). Let’s have an example of one of the biggest companies Facebook, in Facebook’s case, internal applications built by employees logged and stored hundreds of millions of user passwords in plain text on company servers, making them accessible to thousands of Facebook employees (Kastrenakes, 2019).

Hashing, Salting, and Peppering

To enhance security, salts (random data) and peppers (additional secrets) are added to passwords before hashing. Salting prevents attackers from efficiently using precomputed tables like rainbow tables; a tool for breaking passwords that uses a table of reversed password hashes that has already been calculated to break passwords in a database (Gillis, 2022). While peppering adds an extra layer of security, making bulk password theft much harder (YouTube, 2023). These practices are foundational to modern password storage strategies.

Now let’s dig deeper in each one of them:

Hashing

There are many ways to keep your data safe, and the two famous ways are by hashing and encryption, however passwords should be always hashed! But the main question is why?

First of all, what is Hash? Our main character in this write-up Hashing, it converts text, numbers, files, or anything into a fixed-length string of letters and numbers (Codecademy Team, 2023). For instance, The hash function you choose will generate a fixed-length output of 32 characters. This means that the output will always be 32 characters long, regardless of whether you input a short phrase like “Hello World” or a longer sentence like “I am the best hacker in the world”.

What makes hashing better to store passwords rather than encryption is that hashing uses one-way functions which makes it impossible to decrypt it, In contrast, encryption works in two-way function, which means it would be possible to get the plaintext password from the encrypted data.

*Take note that attackers can’t use the hashed password to join in as the target, even if they get their hands on it.

Here is an example of how hashing works: When a person creates a new account on a website that hashes passwords to keep them safe, the actual password is not kept in the database. Instead, the website or app takes the user’s password and hashes it. The original password is changed into a unique hash. After that, this hash is saved in the database. So, when the user tries to log in again, the password they enter is hashed anew and this freshly created hash is compared with the hash stored in the database.

If the two hashes match, the password you entered is right and you can get in. This method makes sure that even if someone gets into the database, they can’t use the hash to figure out the user’s real password.

That being said, there is no such thing as 100% safe! Attackers will always be trying to get around the defences we put up. We will talk more about how hackers can get around the hashing in the Current Threats (The Powerful GPUs) part. Therefore, it is essential that we boost our existing security measures. To illustrate, the use of salt and pepper can render any hash algorithm immune to hackers.

Salt

Salting provides an additional security layer on top of hashing. To increase the security of a hash, separated unique character sequences are appended to the password right before hashing in order to completely alter the hash (Ibeakanma, 2022).

This could increase the security of weak passwords such as “Password1” or “123” by rendering them more difficult to decipher. An example of this process is provided in the figure below.

The use of unique salts for each user forces hackers to approach password cracking on an individual basis. They can no longer target a single hash; instead, they must crack each hash with its specific salt, significantly slowing down the process and demanding more resources. This will make sure that there are no similar passwords since each password will have its own salt. However, Salt is produced automatically for passwords by current hashing algorithms such as PBKDF2, Argon2id, and bcrypt.

Pepper

Imagine you’re adding an extra secret ingredient, called a “pepper,” to your password security recipe. This pepper works alongside with salt. While salt is unique for each password and is stored openly in the database, pepper is a single secret key used for all passwords and is kept hidden away.

So, when a user sets a password, the website does a couple of things to keep it secure. First, it mixes the password with salt and turns it into a hash. Then, it adds the pepper by mixing it in a special way, using something called HMAC (think of it as a blender that mixes the pepper and the hashed password together). This makes the password even harder to figure out.

The cool part about using pepper is that even if someone sneaky finds the database through a hack, like SQL injection, or gets their hands on a database backup, they can’t crack the passwords just with what they find. Without the pepper, which is not in the database but stored in a super-secure spot like a “secrets vault” or an HSM (secure hardware box). And just like you might change your secret ingredient in a recipe every now and then, it’s a good idea to change (or rotate) the pepper occasionally to keep things extra secure.

Advanced Password Storage Techniques

Key Stretching Algorithms

Key stretching algorithms like PBKDF2, bcrypt, argon2id, and scrypt slow down attackers by making the hashing process computationally intensive. This is crucial because it buys time, even if a breach occurs, and makes attacks less feasible on a large scale (Professor Messer, 2021).

Certainly! Let’s reframe these explanations in a more straightforward, non-kitchen scenario while keeping the simplicity and clarity:

PBKDF2 (Password-Based Key Derivation Function 2)

Think of PBKDF2 as a security checkpoint that your password has to pass through multiple times before it gets to its final form. Each pass through the checkpoint scrambles the password more, making it increasingly difficult for anyone trying to figure it out from the outside. The number of times the password goes through this process can be adjusted, making it a flexible tool for enhancing security. It’s like adding several layers of security checks to ensure that only the rightful owner can get through (Professor Messer, 2021).

bcrypt

bcrypt is like a smart security system that evolves with the times. It not only scrambles the password but also automatically adjusts its security levels as computers get faster and hacking techniques become more advanced. This means that as hackers get better tools, bcrypt responds by strengthening its defences. It’s akin to a security system that updates itself to keep up with new threats, ensuring that your password remains safe (OWASP, 2021).

Argon2id

Argon2id is the winner of a global competition to find the best password protection method, making it the top-of-the-line choice for securing passwords. It’s designed to use both the processing power and memory of a computer to create a strong defence against attacks, including those from specialized hacking hardware. This dual-focus approach makes it particularly effective at protecting against a wide range of threats. Imagine it as the latest advancement in security technology, combining multiple defence mechanisms to protect your password from any angle (OWASP, 2021).

scrypt

scrypt takes a unique approach by requiring a lot of memory to process the password. This design choice means that even if a hacker has a powerful computer, they will also need a significant amount of memory to attempt to crack the password, making it an expensive and difficult task. It’s similar to a security strategy that not only checks who’s trying to enter but also makes sure they’ve gone through several expensive and time-consuming hurdles to prove their legitimacy. This adds an extra layer of protection by raising the cost and complexity of potential attacks (OWASP, 2021).

In essence, PBKDF2, bcrypt, argon2id, and scrypt are all methods designed to transform your password into a form that’s extremely hard for attackers to decipher. Each method has its own strengths, from PBKDF2’s adjustable complexity and bcrypt’s adaptability to evolving threats, to argon2id’s award-winning comprehensive security approach and scrypt’s memory-intensive process. Together, they represent a range of options for keeping passwords secure against various types of cyber threats.

And for your information, salting is a built-in feature for PBKDF2, bcrypt, scrypt, and argon2id.

Work Factors

Think of the work factor like setting the difficulty level for a video game that hackers are trying to beat. It’s about how many rounds of scrambling (iterations) we put a password through to make it tough for hackers to crack but still keep our app running smooth. Too high, and it’s like throwing a wrench in the works, making everything slow and potentially opening doors to other attacks. There’s no magic number that fits all; it’s about finding that sweet spot through trial and error, aiming to keep the hashing time under a second (OWASP, 2021).

Adding to our “game difficulty” analogy, if we want to be upgrading the work factor like levelling up your security as the bad guys get better gear. As tech gets cheaper and more powerful, we can crank up the difficulty to keep them at bay. The trick is to do this upgrade dance when users log in, giving their passwords a fresh coat of security paint with a new work factor. If someone doesn’t log back in for a while, their password might stay in the old, easier level, so sometimes it’s smart to nudge users to reset their passwords, keeping only the latest, toughest hashes around (OWASP, 2021).

Measuring Password Strength

Password Strength Tools

Tools like zxcvbn help in crafting strong passwords by evaluating their complexity and resistance to common attack strategies. By leveraging such tools, both developers and users can ensure their passwords are tough nuts to crack (Bitwarden, 2021). To kick off password security on the right foot, it’s crucial to start with a password that’s not a piece of cake to guess. Aim for passwords that are at least 8 characters long (though more is always better), mixing it up with uppercase and lowercase letters, numbers, and symbols. It’s smart to steer clear of using easily guessable details like your birthday or phone number as your password. And using “password” as your password? Definitely a no go. Let’s get creative and choose something less obvious to keep things secure.

Current Threats (The Powerful GPUs)

The advent of powerful GPUs like the NVIDIA RTX 4090 has made password cracking faster than ever. Even with all the security measures we have talked about before it could be also cracked using a chip called GPU, don’t think it’s only meant for gaming and hard-core designing, it actually used to calculate hashes in crazily speed that could reach to billions of hashes per second (H/s).

A famous tool called Hashcat, this tool made it effortless for people who are good at recovering passwords to test their tools automatically on real hashing tasks and then record the results to share. The end result is a set of data called “benchmarks” that shows how well different pieces of hardware and hashing methods work (Hive Systems, 2021).

Refer to (Hive Systems, 2021) The RTX 4090 broke about 164 billion H/s in 2022, What a number!

And if we look at the table above we can see that generation after generation it gets more powerful and stronger using the MD5 hashing (not preferred to use this hashing in passwords).

Even with strict adherence to NIST password guidelines, the power of the RTX 4090 can crack password hashes with alarming speed, approximately one hour! This 50% speed increase over the previous generation highlights the terrifying reality of evolving hacking tools.

This development underscores the need for robust password policies and the adoption of advanced storage methods that can stand up to such brute-force attacks (Windows Central, 2021; Chick3nman, 2021).

So, we’ve seen how these supercharged GPUs, like the NVIDIA RTX 4090, are changing the game in not-so-great ways for password security. It’s not just for gaming anymore; these chips are hashing out passwords at speeds that are mind-blowing — we’re talking 164 billion hashes per second in 2022 (Hive Systems, 2021)! And with tools like Hashcat in the mix, cracking passwords has become almost a walk in the park for the savvy folks.

Seeing the power jump with each new GPU generation, especially with something like MD5 hashing (yeah, not the best for passwords), it’s a wake-up call. Even sticking to all those NIST guidelines, the RTX 4090 can breeze through password hashes in about an hour. That’s 50% faster than the older models, which is kind of terrifying when you think about it (Windows Central, 2021; Chick3nman, 2021).

It’s a bit of a reality check as cool as this tech is, it’s also making it easier for hackers to get in where they shouldn’t. It’s pushing us to up our game in password security and find better ways to keep our stuff safe.

So, here’s a thought: if this is what we’re dealing with now, can you imagine what things will look like a few years down the line? How crazy will the tech get, and are we going to be ready for it?

Best Practices for Password Storage

Summary of Recommendations

The key to secure password storage lies in using a mix of salting, peppering, and key stretching with algorithms recognized for their resilience. Staying informed about the latest in cryptographic research are essential steps in this direction. Additionally, employing password strength tools and educating users on creating strong passwords can significantly uplift security.

Future Trends and Considerations

Now what do I think about all that?

Looking ahead, we might ditch passwords altogether for cooler stuff like biometrics or single sign-on (SSO) tech. Imagine just using your face or fingerprint to get into everything — game changer, right? However, until such methods become universally adopted, enhancing password security remains a critical task.

Given the fast-paced tech advances, like the NVIDIA RTX 4090 turning password cracking into child’s play, here’s a cool idea: Why not beat them at their own game? Let’s think ahead, way ahead. How about we dive into developing encryption that’s not just tough, but futuristic tough, like something out of a sci-fi movie? Imagine encryption that evolves on its own or is quantum-proof. That’s the kind of forward-thinking that could not only keep us safe today but also keep the hackers guessing tomorrow. Let’s not just play catch-up; let’s lead the race.

Self-Reflection

Diving into this write-up, I’ve stumbled upon a bunch of new stuff that never really caught my attention before. It’s been like finding hidden gems of knowledge that I’m now super keen to explore more. Honestly, this whole journey’s been a brain-expander, and I’m already buzzing with ideas on how I can weave these insights into my future projects. It’s like I’ve been given a new set of tools, and I’m just itching to put them to use. Can’t wait to see where this new knowledge takes me!

References

- OWASP. (2021). Password Storage Cheat Sheet. https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

- Professor Messer. (2021). Key Stretching Algorithms. https://www.professormesser.com/security-plus/sy0-501/key-stretching-algorithms/

- YouTube. (2023). Salting, peppering and hashing passwords. https://youtu.be/FvstbO787Qo

- Bitwarden. (2021). Password Strength Tool. https://bitwarden.com/password-strength/

- Windows Central. (2021). NVIDIA’s new RTX 4090 can be used to crack passwords in minutes. https://www.windowscentral.com/hardware/computers-desktops/nvidias-new-rtx-4090-can-be-used-to-crack-passwords-in-minutes

- Chick3nman. (2021). GitHub — Password Hashing Speeds. https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb422222fd

- Hive Systems. (2021). Are Your Passwords in the Green? https://www.hivesystems.io/blog/are-your-passwords-in-the-green

- Codecademy : https://www.codecademy.com/resources/blog/what-is-hashing/

- Gillis, A. S. (2022, September). rainbow table. Retrieved from TechTarget: https://www.techtarget.com/whatis/definition/rainbow-table

- Ibeakanma, C. (2022, April 8). What Is Salting in Password Security and How Does It Work? Retrieved from MAKE US OF: https://www.makeuseof.com/what-is-salting/

- Kastrenakes, J. (2019, March 22). Facebook stored hundreds of millions of passwords in plain text. Retrieved from The Verge: https://www.theverge.com/2019/3/21/18275837/facebook-plain-text-password-storage-hundreds-millions-users