1/ How to store passwords safely in the database and how to validate a password? Letβs take a look.
ππ‘π’π§π π¬ πππ ππ¨ ππ¨
πΉ Storing passwords in plain text is not a good idea because anyone with internal access can see them.
ππ‘π’π§π π¬ πππ ππ¨ ππ¨
πΉ Storing passwords in plain text is not a good idea because anyone with internal access can see them.
2/ πΉ Storing password hashes directly is not sufficient because it is pruned to precomputation attacks, such as rainbow tables.
πΉ To mitigate precomputation attacks, we salt the passwords.
πΉ To mitigate precomputation attacks, we salt the passwords.
3/ ππ‘ππ π’π¬ π¬ππ₯π?
According to OWASP guidelines, βa salt is a unique, randomly generated string that is added to each password as part of the hashing processβ.
According to OWASP guidelines, βa salt is a unique, randomly generated string that is added to each password as part of the hashing processβ.
4/ ππ¨π° ππ¨ π¬ππ¨π«π π π©ππ¬π¬π°π¨π«π ππ§π π¬ππ₯π?
1οΈβ£ A salt is not meant to be secret and it can be stored in plain text in the database. It is used to ensure the hash result is unique to each password.
1οΈβ£ A salt is not meant to be secret and it can be stored in plain text in the database. It is used to ensure the hash result is unique to each password.
5/ 2οΈβ£ The password can be stored in the database using the following format: π©π’π΄π©( π±π’π΄π΄πΈπ°π³π₯ + π΄π’ππ΅).
ππ¨π° ππ¨ π―ππ₯π’ππππ π π©ππ¬π¬π°π¨π«π?
To validate a password, it can go through the following process:
1οΈβ£ A client enters the password.
ππ¨π° ππ¨ π―ππ₯π’ππππ π π©ππ¬π¬π°π¨π«π?
To validate a password, it can go through the following process:
1οΈβ£ A client enters the password.
6/ 2οΈβ£ The system fetches the corresponding salt from the database.
3οΈβ£ The system appends the salt to the password and hashes it. Letβs call the hashed value H1.
4οΈβ£ The system compares H1 and H2 (H2 is the hash stored in the database). If they are the same, the password is valid
3οΈβ£ The system appends the salt to the password and hashes it. Letβs call the hashed value H1.
4οΈβ£ The system compares H1 and H2 (H2 is the hash stored in the database). If they are the same, the password is valid
7/ Over to you: what other mechanisms can we use to ensure password safety?
8/ If you found this thread helpful, follow me
@alexxubyte for more.
Retweet the first tweet to help more people to learn system design.
@alexxubyte for more.
Retweet the first tweet to help more people to learn system design.
Loading suggestions...