DEV Community

Cover image for How (not) to store passwords

How (not) to store passwords

anes on September 16, 2022

The source code is here Why is securely storing passwords so necessary? A question I used to ask myself is: Why do I need to securely s...
Collapse
 
thomasbnt profile image
Thomas Bnt

Hello!

In your Second approach - digest section, you have a typo error in your code :

def register
  encrypt = password
-  sha2_digest = Digest::SHA2.new(256).hexdigest(encrpyt)
+  sha2_digest = Digest::SHA2.new(256).hexdigest(encrypt)
  @password = sha2_digest
end
Enter fullscreen mode Exit fullscreen mode
Collapse
 
aneshodza profile image
anes

Oh, I didn't catch that. Thank you!

Collapse
 
jnv profile image
Jan Vlnas

I'd like to add a fifth approach: use an algorithm designed for passwords, like bcrypt, which takes care of salting for you, but it's also more computationally expensive with configurable complexity. I think bcrypt is still the default in Rails.

Using a single round of SHA-256 with all the existing hashing hardware acceleration (thanks Bitcoin!) isn't much secure nowadays.

Collapse
 
aneshodza profile image
anes

You're right, I should have mentioned the bcrypt approach. My goal in these articles is to show the reader how the theory behind all the library magic works, to make understanding the principles easier. Thanks for the heads up!

Collapse
 
anthgrim profile image
Anthony Grimaldi

Hello Anes!

Thanks for the post. I'm new in web development, and I've been working with bcrypt and similar libraries. Since these are the "do-not" do approaches, what would you recommend to make the password storing more secured?

Collapse
 
aneshodza profile image
anes

Hey Anthony!
The last approach that is documented (peppering) is a relatively secure approach, if you want to do it by hand. My goal with this article is to demonstrate how you could do it by hand, so that beginners know the theory. But when I make a RoR application I also use bcrypt. I have an article about bcrypt in Rails in the drafts, which I will link in my post as soon as it is done

Collapse
 
anthgrim profile image
Anthony Grimaldi

Thanks for the reply!
I'll start looking more into that approach, and see how it goes. I also think that OAuth2 could be a better approach. Maybe a combination of both.

Thread Thread
 
aneshodza profile image
anes

Yes absolutely. I am working on a rails guide about using devise for user management etc. When that is done I will link it in this post and after that I am planning on making an introduction on 3rd party authentication (github, google etc.). Stay tuned if you are interested!

Thread Thread
 
anthgrim profile image
Anthony Grimaldi

Awesome!
Thanks for putting this together! We all need those baby steps at first lol

Collapse
 
incrementis profile image
Akin C.

Hello anes,

thank you for your article.
I've never used Ruby as a programming language, so it's interesting to see it combined with a password security approach. It kind of reminds me of Python :).

I found some typos(?!) in your article (Nothing really bad)

"...no not use this approach in any real software..."
This is just a small a typo: "do not use..."

"...He can't do a lot with the salts, even in plain-text, but we want to be extra."
I assume you meant: "but we want to be extra sure"?

Collapse
 
aneshodza profile image
anes

Hey Akin,
Thank you for the feedback! I proof-read the article again and corrected a few minor mistakes I overlooked.

Collapse
 
edvinasnet profile image
Edvinas Cernauskas

Why poeple still storing password? Maybe its time to move internet to passwordless ? I think, most of problem not a password storage, but how people creating password, or how they are storing them

Collapse
 
aneshodza profile image
anes

I have to agree with you on multiple points: the biggest security risk is always the end user. While a software developer is educated in digital security, the average user wont be. And as a software engineer you should always look for a way in which you can get around storing passwords. Nonetheless it is important to store your passwords securely if you have to. If there is a data leak you are the person responsible for leaked passwords. Or another situation: you have a man on the inside, who only wants the password of a certain user. He can simply look at the users password and log in as him.