How to Encrypt Passwords in the Database

One school of thought states that the best way to store users' password information is not to store the passwords themselves, but rather hashes of the passwords. When the user first signs up for an account, your application creates a hash of the password and stores that in the database. When the user logs in, your applocation creates a hash of the password entered by the user when logging in and compares it to the hahs of the password stored in the database.

This approach has the advantage of maintaning user privacy; you wouldn't be able to find out what your users' passwords are without a great deal of work. The downside is that you can't email a password reminder should the user forget his or her password (instead, you email them a link leading to a page that lets them define a new password.)

The article How to Encrypt Passwords in the Database covers handling password hashes with source code in PHP and VB.NET/ASP 2.0.

Comments
Post a comment
Re: How to Encrypt Passwords in the Database
Post better content. Read about the flaws of this post.
Re: Re: How to Encrypt Passwords in the Database
by Joey deVilla on Tue 03 Oct 2006 12:26 PM EDT
My first response: "Post more polite comments."

But seriously...

I think the article explains the principles of storing hashes of passwords rather than the passwords themselves pretty well. Yes, neither it nor I didn't cover all the security bases, but that's beyond the purview of an introductory article.

Tell you what -- give me a little time, and I'll write an article that covers those issues you mention in your post. How's that sound?
Re: How to Encrypt Passwords in the Database
Yes, I'm a flamebait sometimes. I believe strongly that avareness must be raised about security. I waiting your tutorial and I'll be happy to comment on it ;). Also, just a tip: you might consider adding rel="nofollow" to the URL of the comments too, not just the links included in the comments.
Re: Re: How to Encrypt Passwords in the Database
The "nofollow" on the links is built into Blogware; that's just a checkbox option in the control panel. As for "nofollow"-ing the comments, that's in the works, but that requires editing the template for the comments. That will happen, as their layout needs some re-jigging anyway.
Post comment:
Format Type: 
  Convert newlines
  Receive comment notifications for this article
Subject: 
   
insert bold tagsinsert italic tagsinsert underline tagsinsert strikethough tagsinsert linkinsert blockquote tags
Comment: 
Comment verification:

Please enter the text you see inside the graphic to post your comment:
You are not currently logged in. If you would like your user information to be displayed with your comment, please enter your login information below.
Login information:
Username: 
Password: 
If you would like to post contact information on your comment, please enter your information into the optional fields below:
Contact information:
Name: 
URL:  example: http://yourdomain.com
Email: 
Please note: email will not be displayed on the site, only for the blog owner. If logged in, URL will only be used.