Password Hashing
Surely you’ve heard of how often there are data breaches on websites. Millions of users could have sensitive information compromised and as a result may get their accounts hacked, personal information revealed, or even worse. Websites like haveibeenpwned.com keep track of data breaches and let you know whether your information is unfortunately among the list of that which has been leaked. However, there are certain ways to make sure that even if your information is leaked, there’s no way of letting hackers know what the actual information is. One of those ways is password hashing.
What even is password hashing?
If you read last week’s blog post, I talked about JSON Web Tokens and how information can be encrypted into a random string of characters that the server can read. Password hashing is essentially the same thing. A string is taken in by an algorithm and then sliced and diced into a random string of characters. Take a look at the image below:
On the top left you can see that I entered “ThisIsAPassword” into the text field. Below it are numerous variations of that password hashed by different algorithms (there’s actually a lot more algorithms than shown but I’m certainly not going to try to fit them all in one image).
Salt The Password?
I didn’t check off the box labeled “Salt The Password”. Well, what happens if I do? See if you can spot the difference:
The hashed password comes out differently. “Salting” your passwords means adding another value on top of the password hashing algorithm to ensure that the hashed passwords are even more difficult to decrypt, as the same password inputs may be able to have the same hashed password.
Are there other ways of storing passwords?
Yep, all ranging in security, too. The least secure way to store passwords would be in “plain text”. Meaning it’s literally just the password itself stored in the database. Obviously, this is the worst way to secure your password as if your database gets breached, hackers literally do not have to do anything else to know your password. It’s right there in front of them. Also, how often do you use the same password for other websites? Yeah, don’t lie to yourself about it. A lot of people do it. If one breach happened, that can mean multiple compromises on different databases of other websites as well if you use the same password for multiple places. You might be thinking “there’s no way that many companies would store passwords in plain text, though! Surely they have more security!”. Oh, you’re wrong. You are so, so wrong. Just take a look at this website. Even bigger companies like Facebook (YES, FACEBOOK!) stored passwords in plain text.
Another way would be encrypting passwords. I know I used the word “encrypted” earlier, but I’m using the word encrypt here in the traditional sense that it’s just assigning a key to your password. You may think that encryption may be a secure way to store passwords as it turns your passwords into a jumbled mess of characters similar to hashing, but the unfortunate thing is that you can usually decrypt and get access to the actual password once a hacker has access to the encryption key.
It’s not hard to set up password hashing for your application. There are libraries out there that can help you easily do it, bcrypt being one of the most popular ones. I recommend giving bcrypt’s documentation a read to better understand how hashing works in general. Remember, you always want to be on top of your security game!
