http://CustomSoftwareAdvisor.com/ Transcript below ...
Storing passwords in a secure manner is extremely important. This video is a brief overview for the executive, project manager, or IT manager, of current best practices for secure password storage.
-- Transcript --
00:19 you may believe user credentials are stored in the database in clear text (http://bit.ly/lPqS3C), but this is a very naive way to store passwords. And for my career, it has been considered a very poor practice.
01:12 the problem is that if anybody hacks your database, they can easily log in as any user and do anything in the name of that user.
01:28 Even if your application doesn't allow users to do anything 'destructive', it can still serve as an embarrassment to the application and your company.
01:43 if you ever see user credentials stored in clear text format, you need to have a serious discussion with your programmer, about storing them in a secure manner.
02:00 Part of the solution is to mask the password. So instead of storing it in clear text, you would instead store the 'hash'.
02:16 what is a hash? A hash is the result of a computational algorithm (http://bit.ly/l5fdWa), where you pass in a password, and it returns a series of alpha numeric characters.
02:35 a hash cannot be reverse engineered to get the original input (i.e. the password).
02:44 a hash is a one way algorithm. In other words, you cannot take the result of a hashing algorithm and reverse it to get the original password; a hash result is similar to a scrambled egg, in that it can never be unscrambled.
03:05 However, the hashing algorithm is consistent, so hashing our password 'abc123', you get the same hash value every time.
03:21 don't create your own hashing algorithm, there are many included in most standard programming libraries.
There are even hashing generators online (http://bit.ly/kFeGEM, http://bit.ly/jfpWRO, etc..). Notice when you enter my example password 'abc123' is hashed to '6367c48dd193d56ea7b0baad25b19455e529f5ee'. Notice also that both generators hash to the same values, proving the algorithms consistency.
04:08 however hashing isn't enough. You can't just store the password hash to be secure.
04:20 you can't just store the passwords hash, because hackers have databases called 'Rainbow Tables' (http://bit.ly/kXEnZV) where they can compare your hashed password and get the users password almost instantly.
05:25 [I stutter and did not edit so people would see how I really speak]
05:34 we can get around this problem by salting the password and hash the salted password.
05:49 what is a salt? A salt is a series of random alpha-numeric characters which are prepended (or appended) to the clear text password. Then the combination of salt + password is hashed.
06:16 Then the salt and hashed, salted, password is stored in the database along with the user name.
06:48 where do you get the salt? Again, there is functionality included in most programming libraries to generate this for you easily.
07:25 so how does this all tie together? When a user creates a new account, entering their user name and password (in clear test), then hits the submit button, we generate a salt, prepend/append the salt to the user entered clear text password, creating a 'salted password', then hash the salted password. Then the user name, salt, and the hash of the salted password, are all stored in the database.
08:11 When the user logs in, we retrieve the user credentials (salt and password hash) from the database based on their entered user name. Then we salt the user entered clear text password, using the salt from the database, and generate the hash on that salted password. We then compare the calculated hash against the hash stored in the database, and we know if the password is correct if the hash values match. If they don't match, then the password was incorrect.
09:08 in a nutshell, if you open your database and are able to read a user's password, then you need to get that fixed. It's a simple procedure, most programmers know how to do this, and there is plenty of documentation outlining how to secure your passwords.
Please comment below or email me directly if you have any questions, comments, or concerns.