Find solution
what encryption is used?

What are the ways to store passwords in an encrypted manner in a DB and what methods can be used for both encryption and decryption?

  • I have a username and password. I want to store them in DB in a secured way. I am very new to this, dont know much. Please help.

  • Answer:

    The short answer is, if you must store passwords, use a library implementation of a construction like PBKDF2, bcrypt, scrypt, or Argon2 that was designed for this purpose by people who have spent a lot more time thinking about this problem than you or I. Cryptographers have carefully crafted these constructions to minimize the damage that might be caused if an attacker gets hold of your database, in three ways: They are computationally impossible to decrypt (“one-way”). When the user logs in, their password is not checked by decrypting the stored value, but rather by re-encrypting the provided password and checking for a match. This means a compromised database can’t immediately be used to log in to accounts with reused passwords on other servers. They are moderately expensive to encrypt (“stretched”)—typically a few thousand times more expensive than a standard hash function. That’s still fast enough it doesn’t noticeably slow down legitimate logins, but it greatly reduces the rate at which an attacker can perform a brute-force attack where they encrypt many password guesses and check for a match. They are encrypted differently for each password (“salted”). This prevents an attacker from reusing the computational effort of a brute-force attack to target many encrypted passwords simultaneously; it forces them to pick their target in advance. (If you think that an attacker getting hold of your database is something that could never possibly happen to you, you’re wrong. If you still think that could never possibly happen to you, then you need to stop developing your application and get out of the computer programming industry immediately, because otherwise you’re putting all your users at risk.)For details, read http://throwingfire.com/storing-passwords-securely/, especially the parts about why salting and stretching are important.

Anders Kaseorg at Quora Visit the source

Was this solution helpful to you?

Other answers

Another short answer is that you shouldn't store passwords at all (hashed or not). Use Google Accounts, Facebook Connect, OpenID, TLS certificates, or Mozilla Persona (https://www.persona.org/). Just no more unnecessary passwords! Mozilla Persona is the newest and is probably the best compromise between privacy, security, and practicality. Hopefully it will win.

Keith Winstein

No specific recommendation. However, I've been listening to Steve Gibson's Security Now podcast, which has a lot of great information about these sorts of topics. It's a great resource and I've learned a lot. Check it out - http://www.grc.com/securitynow.htm

Robert Lawson

there are three password encryption modules which are rot ,md5 and crypt

Lordrick Silvester Munuo

Ngoc Dao

I am not going to rehash what others have said. But to make it easier for you , brings up a good point on how you want to  use the passwords and provides high level options.  Next if you choose to use the password for authentication, then follow the principles laid out by . If you are using username/password for authenticating users to your application, then you will also run into password reset. Then read the link provided by . But the real question is , do you really want to use username/password for authentication?  can you use other identity systems like Google+ or Facebook? . This is what was talking about.  I haven't looked into Mozilla Persona in detail (except for couple of talks) so I am not going to comment on that. But you can look it up. For some specific details If you are using the username/password to authenticate the user ( before they can access your app) , then use PBKDF2.   Just google PBKDF2 and your programming language you should find your library to use.   If you are storing the password to access a remote resource like DB or WebServices, then you have to encrypt and use "AES" with appropriate IV and base64 encode the response. remember to store encryption key and IV as you need that to decrypt the data.  Again google AES encryption with "programming language" , then you will hit jackpot.

Sitaraman Lakshminarayanan

To store user passwords safely, it is critical to first understand the application requirement, whether it's only for authentication purposes or that password is required to be re-used in different manner. If the password is used solely for authentication process then there is only one best option to hash and store the user password. This is a one-way function, the hashed value cannot be reversed to obtain the user original password. As mentioned in your question that you may require decryption, then you need to look at any Symmetric encryption, this is a reversible operation with the down-side being that you would also need to store the encryption key.

Deepankar Raizada

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.