Do not let down trust how to make Password Storage secure

As software developers, one of the most important responsibilities is to protect users' personal information. If users have no technical knowledge, they have no choice but to trust us when using our services. Unfortunately, when we look into password processing, we find that there are various processing methods, many of which are not secure. Although it is impossible to build a completely secure system, we can take some simple steps to make our password storage safe enough.

Should not:

First, let's see what we should do when building a system that requires user authentication.

● Do not store user authentication information as required. We can consider OAuth providers such as Google and Facebook. If you want to build internal enterprise applications, you can consider using existing internal authentication services, such as enterprise LDAP or Kerberos services. Whether for public or internal applications, users will like this application because they do not need to remember an ID and password, and are less vulnerable to hacker attacks.

● If you must store authentication information, do not store plaintext passwords. This sentence is not explained.

● Do not use Reversible Encryption unless you need to find the plaintext password in some situations. Because the plaintext password is not required for user authentication.

● Do not use outdated hashing algorithms, such as md5. In this society, someone can reverse query plaintext by constructing an extremely large md5 database. In other words, md5 hash is basically useless. If you don't believe that you can use this ciphertext (569a70c2ccd0ac41c9d1637afe8cd932) To Go To The md5hacker and check the plaintext in a few seconds.

Should:

If you have finished talking about what you should do, let's talk about what you should do:

● Select a one-way (irreversible) encryption algorithm. As I mentioned above, only the encrypted user password is stored. Users can use the same algorithm for encryption and then compare each authentication.

● Select the slowest encryption algorithm that your application can afford. Any modern encryption algorithm supports receiving parameters during encryption to prolong the encryption time, and decryption is naturally more difficult. (For example, PBKDF2 can be implemented by the number of iterations ). Why is it slow? This is because the user pays almost no attention to the additional cost of 100 ms to authenticate his account. But the hacker is different. When he makes the last 1 billion attempts to calculate, he just drank a pot.

● Select a popular algorithm. The National Institute of Standards and Technology recommended PBKDF2 encryption password.