Best way to save password in aws dynamoDB

Question

I am working on android application using amazon dynamodb service.

As i have to save user basic information and password so please let me know what is best way to save password in dynamodb ?

Answer 1

Don't save the password. Don't save the encrypted version of the password. Save the SHA-256 or SHA-512 version of the password. When the user goes to login, convert the attempted password to the same SHA-256 or SHA-512 value and use that to check what is in the database.

There are other more secure hashes as well, such as pbkdf2, scrypt and argon2, you might consider those instead of SHA hashes which are getting easier to crack every year.

Why not the encrypted password? If someone gets a hold of your database and brute forces your encryption scheme, they now have all your passwords. Adding a salt to your password based on some part of the data like the user id helps, but a determined user can figure this out too.

If the user forgets their password, use their email address and/or phone number and send them a reset link that expires in 15 minutes or something to that effect.

And remember to use https for everything, never transmit the hash of a password over http.

Answer 2

It is not recommended to keep sensitive information without encryption in DyanmoDB in plain text. You can encrypt the password using AWS KMS and store the encrypted text in DynamoDB.

As an alternative option, you can see whether you can use AWS Cognito Userpools for user identity storage (Not sure whether this is applicable to your use case).