How to Store a Password in Database

Most web apps ask users for their username and password in order to verify their identity. They check the credentials provided by the user against the information in their database, and if they match, access is granted to the user.

Storing the Password as Plain Text

55% of internet users use the same password for the majority of websites, according to naked security! It suggests that if the website that stores your password in the plain text becomes stolen, a hacker will be able to access not only your account on that website but also all of your other accounts on social media, email, forums, and other websites that you use the same password for.

There are numerous techniques to make it difficult for the hacker to retrieve the password from the database. Even still, developers frequently save passwords in plain text and disobey the fundamental best practices. More than 30% of websites keep passwords in plain text (including some reputed sites also). No matter how strong a password you choose, if the website is storing it in plain text, you are not secure!

Storing the Password in Encrypted Form

Another possibility is that the password should be encrypted and then stored if it cannot be stored in plain form. Additionally, it is a bad idea. A one-to-one mapping between input and output is provided by encryption functions, which are always reversible. The passwords can be decrypted if the hacker obtains the key.

Cryptographic Function for the Password

Utilizing a one-way cryptographic hash algorithm would be the superior option. The many-one mapping between input and output provided by the hash function makes it virtually hard to reverse an output. A reliable cryptographic hash function produces fewer collisions. Due to the pigeonhole principle, collisions cannot be totally prevented. When hashing passwords, we can assume that the hash function will produce singular results, meaning that no two passwords will produce the same hash value.

MD5 and SHA1 are two of the more well-known cryptographic hash methods. One method is to save the password hash rather than the plain text version in the database. Apply the same hashing algorithm on the user-provided password before comparing it to the database's hash. The user is authenticated if both hashes match (since the hash of the same input will give the same output). The attacker will now only be able to see the hashed output and not the actual password if he is successful in gaining database access.

Rainbow Table

Hackers pre-calculated the hash of many words (from a popular word list or dictionary words). They made a table of words and the hashes that go with them. This table, which goes by the name Rainbow Table, is easily accessible online. By comparing the hashes received from the database, they can utilize this table to perform a reverse lookup to find the true password. Therefore, it is crucial to establish a strong password because it reduces the likelihood that your password will show up in the word list.

Salt Method

To save the passwords from rainbow tables, salted data is used. Salt is some random data which is added into the original password then it is stored in the database to protect it. For example, if we have the password as 'hap123' and salt as 'xcv69' then the stored password would be 'hap123xcv69'.

Since we have the fixed value of salt data, that's why it is known as the static salt method. This method can also be not secured due to static data, so we use a dynamic salt method.

Dynamic Salt Method

In the dynamic salt algorithm, dynamic salt data is generated through a random string generator, and static salt data is added with the original password and dynamic salt. Then it is passed to a hashing function and stored into the database. In this method hackers have to make a new hash table for each user which makes it hard for them to steal the password.

The method described above works well to impede a hacker. Bcrypt and scrypt algorithms are preferred over MD5/SHA1 algorithms.bcrypt is a hashing algorithm which is based upon blowfish. You are required to provide a cost/work factor. Since the labor factor slows down the entire process, it will take more time to produce a hash table.