And Again, About Storing Passwords

When the question of storing passwords arise, the first idea is to simply keep them in clear text in the corresponding table in the database. However, in 2018 cybercriminals are very good at getting access to such passwords. There are well-known SQL injections and many other potential vulnerabilities. It is generally accepted to assume the worst-case scenario and prepare an action plan. Let’s assume that the attacker found a loophole in the web application. In one way or another, he can download the table with the names and passwords of users. In general, his further actions may be as follows:

  • Performing illegal actions on behalf of users using their credentials on a vulnerable website. For example, a bank card is attached to the account; now an attacker can use it.
  • Attempt to use the password on other websites. Some users tend to use the same passwords for different services.
  • Attempt to understand the rule for creating passwords and use it with other websites. Often users use passwords that are different on different websites, but they follow the same rule for creating those passwords and these rules can be identified.
  • Elevation of privileges. The same table can store the administrator password which you can use to get full control over the server.

So, keeping passwords in plaintext is not a great idea. What should we do? It would be nice to store passwords that are encrypted in some way. Even if they get retrieved, attackers will not be able to read and use them or, at least, will spend too much time restoring them.

And we come to the point where we must choose between the two approaches: encrypt passwords or use hashing. Let’s compare these options.

1. Labor intensity. Encryption takes more time. Irresectable of crypto algorithm we choose, we (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by David Balaban. Read the original post at: