All you ever wanted to know about password hashing

Well sometimes I'm lucky and somebody else writes something so I don't have to. Since you should assume that your system will be breached eventually you should make sure that your user's  passwords cannot be exposed as a lot of users reuse their passwords across multiple sites.

That is why you should read this article that does a good job in both explaining how it works and why  you need to hash passwords. And remember that password hashing is used to mitigate the impact of your user database being stolen - not to protect access when an attacker can execute any code on your system. It is way more common that data can be exfiltrated than full control over a system.

It is also good manners to not know the passwords of your users. It is a long time since encountered an application that would email me my password rather than do a password reset. Also this stuff is not new. It has been in use in pretty much all operating system from the start so why would you not do it in your (web) application?

1 comment:

  1. Thank you! This never gets enough attention but it's crucial.