steve0greatness,
created on Friday, 3 November 2023, 05:04:43 (1698987883),
received on Monday, 6 May 2024, 02:55:32 (1714964132)
Author identity: Steve0Greatness <75220768+Steve0Greatness@users.noreply.github.com>
c0ff593c5bab75d212e84cb4f089be1a5277379f
blog/How-to-Store-Passwords.htm
@@ -0,0 +1,56 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>How to Store Passwords</title>
<style>
.breadcrumbs {
display: flex;
list-style-type: none;
padding: 0;
}
.breadcrumbs li:not(:first-child)::before {
display: inline-block;
content: "Β»";
margin: 0 8px;
}
.direct-link {
text-decoration: none;
font-size: 12px;
}
</style>
</head>
<body>
<h1>How to Store a Passwords <a href="/blog/How-to-Store-Passwords.htm" title="permalink" class="direct-link">π</a></h1>
<ul class="breadcrumbs">
<li><a href="/">Index</a></li>
<li><i>How to Store Passwords</i></li>
</ul>
<i>Posted: <date>2 Nov, 2023</date></i>
<p><b>Disclaimer</b>: The world of cyber-security is an incredibly complex and constantly evolving topic, and I am not a cyber-security researcher; I create projects for fun.</p>
<p>Storing a password in a server can be intimidating. Password management is incredibly tricky, as anything you mess up could compromise your users' password(s). Thankfully, random websites you've never visited before have a pure HTML blog post from 2023 about that exact topic, and how to do it properly.</p>
<p>Basically, it's just this sequence of steps:</p>
<ul>
<li>Generate a long random sequence of characters, this is called a <a href="https://en.wikipedia.org/wiki/Salt_(cryptography)"><i>salt</i></a>(generate for each user, do not use a master salt)</li>
<li>Prepend(or append, it doesn't matter, just keep it consistent) this to the user's password</li>
<li>Use a <a href="https://en.wikipedia.org/wiki/Hash_function">hashing algorithm</a>, such as <a href="https://en.wikipedia.org/wiki/PBKDF2">PBKDF2</a>, to generate a unique sequence of characters that will uniquely identify that password.</li>
<li>Store the salt and hash(in the same place), <i>do not</i> store the password on it's own.</li>
</ul>
<p>And to check if a password is right, repeat the steps, except rather than generating a random sequence of characters, get the sequence of characters that you've stored along with the hash.</p>
<h2 id="why-do-this">Why Do <i>This</i>? <a href="#why-do-this" title="permalink" class="direct-link">π</a></h2>
<p>You might be thinking: <i>That's a bit arbitrary innit?</i> And if you aren't then you can stop reading now.</p>
<p>This method of storing passwords is the only way to ensure that you are securely storing them. So let's go through some other ways, and why they aren't so good.</p>
<h3 id="plaintext-passwords">Plaintext Passwords <a href="#plaintext-passwords" title="permalink" class="direct-link">π</a></h2>
<p>Storing your passwords in plaintext allows anyone who can get into your server to easily take any password they want, as no matter how good your users' password is, their account will be hacked if an unauthorized or malicious individual is able to get in.</p>
<h3 id="encrypted-passwords">Encrypted Passwords <a href="#encrypted-passwords" title="permalink" class="direct-link">π</a></h2>
<p>This is basically just plaintext with additional steps. As long as your master-key is stored somewhere, it will get stolen as soon as somebody manages to get into your system.</p>
<h3 id="bare-hashing">Bare Hashing <a href="#encrypted-passwords" title="permalink" class="direct-link">π</a></h3>
<p>A hash isn't able to be undone, meaning theoretically you should be able to <i>just</i> hash your password. This, while a fair assumption, has unfortunately been incorrect for quite some time. There are databases online that store every word in the english language(or just some words) in addition to common passwords and their hashes, and users will often use words for their passwords, even though it's insecure.</p>
<p>This is where salts come in. Due to the nature of hashes, even a single change in a string will entirely change it's hash, as such, if you add a random sequence of characters to a string, then you can entirely change it's hash.</p>
</body>
</html>
index.html
@@ -6,9 +6,20 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Steve0Greatness</title>
<style>
ref {
font-style: italic;
float: right;
.breadcrumbs {
display: flex;
list-style-type: none;
padding: 0;
}
.breadcrumbs li:not(:first-child)::before {
display: inline-block;
content: "Β»";
margin: 0 8px;
}
.direct-link {
text-decoration: none;
font-size: 12px;
}
</style>
</head>
@@ -18,7 +29,14 @@
<img src="ProfilePictureSpin.gif" width="50" alt="3D rotating cube of the cat from Stray">
<i>Made with <a href="https://www.3dgifmaker.com">3D Gif Maker</a></i>
<h2>Blog Posts</h2>
<ul></ul>
<table>
<thead>
<tr><th>Name</th><th>Date</th></tr>
</thead>
<tbody>
<tr><th><a href="/blog/How-to-Store-Passwords.htm">How to Store Passwords</a></th><td><date>2 Nov, 2023</date></td></tr>
</tbody>
</table>
</body>
</html>