4 thoughts on “How to store a password in a database

  • Pleae excuse my ignorance: why not?
    If the application server encrypts the password & username first and the encyption algorithm is not known to the person looking in the DB, is this a serious security risk?
    Where, then, should passwords be stored?

    • They shouldn’t be stored anywhere. That’s the entire point. Encryption isn’t the answer.

    • I believe the unspecified reason is that you only encrypt something you intend to decrypt (like an SSN at tax time if your system is involved with those). If it can be decrypted then it’s insecure by definition. Instead, store hashes from which the original value cannot be retrieved – only compared for changes.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: