Applications which require users to register need to store the user details in some kind of data store and if you’re storing sensitive information like passwords, it is imperative that the passwords are encrypted before you store them. Often, it is easier to just store the passwords as clear text to avoid the hassle of having to encrypt/decrypt the password before using them but this will eventually lead to a BIG security flaw in your application.
Some people think that because they’ve got a small web app, they are not really at risk of hackers but the truth is that there are sick people out there who enjoy looking for vulnerabilities in your website. Of course there’s a password to access your dababase and that provides a first level of security but if that database password is compromised, then all your users will be at risk. You might be thinking what’s the worse that can happen if somebody manages to get the passwords of your users, right? Well they will have the power to impersonate that user on your site first of all, but wait this does not end here. If your website just allow registered users to post comments, it’s not just the fact that the hacker will be able to post comments on your site but research has found that many people use the same passwords for a lot of sites. Surely the hacker can get the email address of the person and if he can get into their email, he might also be lucky to find other sites which he can log into as well, pretending to be the said user. This is not something that you wish happen to you, so security is the first thing that we need to think about.
It is important to note that if you have a database administrator, he will have unrestricted access to your database and will be able to read your users’ passwords and may use them in unethical manners (hopefully he won’t, but you should never take the chance).
Instead of storing the passwords as plain text in the database, you could encrypt the password and that would add a nice layer of obscurity to it but if you can encrypt it, then you can also decrypt it the same way that it was encrypted. This is because encryption/decryption engines use a key to do the work and the key can be guessed or found and this will make it easy to get the password.
A much better way to secure the passwords is to hash them. Hashing is a one way algorithm in the sense that once you’ve got it encrypted (hashed), you cannot get it decrypted. When the user enters his password on your site, you hash the password that he entered and check the hashed value that you get against the hashed value in the database for the user’s record. It it matches, it means the user has entered the correct password.
That’s all good but because many people tend to use common names found in dictionary as their password, hash tables have been created to perform a dictionary attack on the passwords which have been hashed. Say you’ve hashed the password ‘prince’ with SHA1 and a hacker manage to get a positive sign that his hashed password ‘prince’ matches your one. This means that he will know the password. Therefore it is advisable to salt the hash to make dictionary attacks less successful.
Hashing with a salt
Before you actually hash the password, you add a salt to it, so you hash (salt + password). It is better to add the salt at the beginning of the password rather than the end. A salt is just a random word. You can create a random set of characters to use as the salt and store them together with the password in the database. The added benefit is that is two users have the same password, the hash value of their passwords won’t be the same because you’ve got a random salt added to their passwords which means a hacker cannot for sure know whether people are using the same passwords.
It is better to use a random salt rather than a single salt because the latter will make it that little bit easier to crack the password but with a random salt, the hacker will need to perform comparison for each password by using the salt and hashed password. This will increase the time taken for them to get the passwords and give you time to notify your users to change their passwords, if you know that your site’s been compromised that is.
Which cryptography to use?
MD5 has shown weaknesses and there are concerns around SHA1 because of some vulnerabilities. I’d consider using SHA256 although SHA512 is more secure. The reason is SHA512 takes twice as long to compute and I believe SHA256 is good enough for security at the moment. Let’s see what SHA-3 will give us, eh?