Please pass the salt: Serve up passwords with a side of entropy

We’ll look at what you’re doing right… and wrong when storing your user passwords. We’ll look at the most basic forms of password storage and move to more secure methods, discussing advantages and disadvantages of each method, including covering high-visibility hacks that have hit real companies.

Passwords are like opinions, everyone has them and some are easier to figure out than others. As application developers and DBAs, our users entrust us with the precious keys to their social media, E-mails, bank accounts, and shopping history. Hopefully everyone has figured out storing your passwords in plain text is really bad, but is a simple hash good enough? You’ve probably heard someone say that if you’re rolling your own crypto, you’re probably doing it wrong, but what ARE you supposed to do? There’s so much information out there about encryption, hashes, iterations, salts, and entropy that it’s hard to decipher and sometimes even harder to convince your boss why it’s worth spending time on. Let’s take a practical look into the world of password storage by starting with the most basic approach and what’s wrong with it. We’ll work through many of the common techniques and explain how they fall short. We’ll talk about the tools crackers use such as brute force, lookups, and rainbow tables to explain how the baddies wrench your users’ secrets from your stolen databases using several recent high-profile attacks as examples. How can you protect against a thread you don’t even understand?

  • Why YOUR site is worth making secure
  • How hashing differs from encryption
  • What password policy creates the best entropy
  • What the heck is a rainbow table and does it have a pot of gold at the end?
  • What libraries you can start using today to do it “right”?