Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Preferred Method of Storing Passwords In Database

What is your preferred method/datatype for storing passwords in a database (preferably SQL Server 2005). The way I have been doing it in several of our applications is to first use the .NET encryption libraries and then store them in the database as binary(16). Is this the preferred method or should I be using a different datatype or allocating more space than 16?

like image 686
TheTXI Avatar asked Mar 05 '09 17:03

TheTXI


People also ask

What is the best method of storing passwords?

Best place to store passwords — A reputable password manager app is the best way to store passwords securely. A password manager allows you to easily create, manage, and access your secure passwords.

What is the best practice in storing passwords in a database?

Hash all passwords Never store passwords in plain text. Always create a hash from them and store the hash instead. In password storage, hashing is superior to encryption since a hash can't be reversed.

Which of the following is the best method to secure a password in a database?

The best security practice is not to store the password at all (not even encrypted), but to store the salted hash (with a unique salt per password) of the encrypted password. That way it is (practically) impossible to retrieve a plaintext password.


1 Answers

I store the salted hash equivalent of the password in the database and never the password itself, then always compare the hash to the generated one of what the user passed in.

It's too dangerous to ever store the literal password data anywhere. This makes recovery impossible, but when someone forgets or loses a password you can run through some checks and create a new password.

like image 183
Quintin Robinson Avatar answered Oct 08 '22 09:10

Quintin Robinson