The source code is here
Why is securely storing passwords so necessary?
A question I used to ask myself is: Why do I need to securely s...
For further actions, you may consider blocking this person and/or reporting abuse
Hello!
In your Second approach - digest section, you have a typo error in your code :
Oh, I didn't catch that. Thank you!
I'd like to add a fifth approach: use an algorithm designed for passwords, like bcrypt, which takes care of salting for you, but it's also more computationally expensive with configurable complexity. I think bcrypt is still the default in Rails.
Using a single round of SHA-256 with all the existing hashing hardware acceleration (thanks Bitcoin!) isn't much secure nowadays.
You're right, I should have mentioned the bcrypt approach. My goal in these articles is to show the reader how the theory behind all the library magic works, to make understanding the principles easier. Thanks for the heads up!
Hello Anes!
Thanks for the post. I'm new in web development, and I've been working with bcrypt and similar libraries. Since these are the "do-not" do approaches, what would you recommend to make the password storing more secured?
Hey Anthony!
The last approach that is documented (peppering) is a relatively secure approach, if you want to do it by hand. My goal with this article is to demonstrate how you could do it by hand, so that beginners know the theory. But when I make a RoR application I also use bcrypt. I have an article about bcrypt in Rails in the drafts, which I will link in my post as soon as it is done
Thanks for the reply!
I'll start looking more into that approach, and see how it goes. I also think that OAuth2 could be a better approach. Maybe a combination of both.
Yes absolutely. I am working on a rails guide about using devise for user management etc. When that is done I will link it in this post and after that I am planning on making an introduction on 3rd party authentication (github, google etc.). Stay tuned if you are interested!
Awesome!
Thanks for putting this together! We all need those baby steps at first lol
Hello anes,
thank you for your article.
I've never used Ruby as a programming language, so it's interesting to see it combined with a password security approach. It kind of reminds me of Python :).
I found some typos(?!) in your article (Nothing really bad)
"...no not use this approach in any real software..."
This is just a small a typo: "do not use..."
"...He can't do a lot with the salts, even in plain-text, but we want to be extra."
I assume you meant: "but we want to be extra sure"?
Hey Akin,
Thank you for the feedback! I proof-read the article again and corrected a few minor mistakes I overlooked.
Why poeple still storing password? Maybe its time to move internet to passwordless ? I think, most of problem not a password storage, but how people creating password, or how they are storing them
I have to agree with you on multiple points: the biggest security risk is always the end user. While a software developer is educated in digital security, the average user wont be. And as a software engineer you should always look for a way in which you can get around storing passwords. Nonetheless it is important to store your passwords securely if you have to. If there is a data leak you are the person responsible for leaked passwords. Or another situation: you have a man on the inside, who only wants the password of a certain user. He can simply look at the users password and log in as him.