Hello, and welcome to today’s class on storing passwords in a database.
Don’t store passwords in a database.
Thanks for attending.
Photo by James Sutton on Unsplash.
Hello, and welcome to today’s class on storing passwords in a database.
Thanks for attending.
Photo by James Sutton on Unsplash.
Pleae excuse my ignorance: why not?
If the application server encrypts the password & username first and the encyption algorithm is not known to the person looking in the DB, is this a serious security risk?
Where, then, should passwords be stored?
They shouldn’t be stored anywhere. That’s the entire point. Encryption isn’t the answer.
Perhaps a mention that hashing passwords, and storing the hash, if done correctly with a good salt, is ok.
I believe the unspecified reason is that you only encrypt something you intend to decrypt (like an SSN at tax time if your system is involved with those). If it can be decrypted then it’s insecure by definition. Instead, store hashes from which the original value cannot be retrieved – only compared for changes.
Comments are closed.