How not to store passwords

  • It can’t be said enough - do not save passwords in plain text.
  • Encryption is only slightly better than plain text. It is not THE answer for sure.
  • Plain hashes are pretty weak too. They are vulnerable because users tend to replicate the same passwords for different websites and they also use very simple passwords making it easy to crack.
  • Salted hashes are much better at protecting passwords. But the speed at which hashes can be calculated by attackers makes brute-force attacks reasonably possible.
  • One of the good options for storing passwords is key derivation functions. They require more compute time to get cracked which means an attacker needs to spend more money to crack them.

Full post here, 7 mins read