How-to-Store-Passwords.html
HTML document, ASCII text, with very long lines (423)
1<!DOCTYPE html> 2<html lang="en-us" prefix="og: https://ogp.me/ns# article: http://ogp.me/ns/article# profile: https://ogp.me/ns/profile#"> 3 4<head> 5 6 7<meta charset="UTF-8" /> 8<meta name="viewport" content="width=device-width, initial-scale=1.0" /> 9<title>How to Store a Passwords - S0G</title> 10<link rel="stylesheet" href="/src/global.css" /> 11<meta property="og:locale" content="en_US" /> 12<meta property="og:site_name" content="Steve0Greatness" /> 13<meta property="og:image" content="/OG-Image.png" /> 14 15<link rel="stylesheet" href="/src/code-blocks.css" /> 16<link rel="stylesheet" href="/src/blog.css" /> 17<link rel="alternate" href="/blog/How-to-Store-Passwords.txt" type="text/plain" title="Post source" /> 18<meta property="og:title" content="How to Store a Passwords" /> 19<meta property="og:type" content="article" /> 20<meta property="article:published_time" content="2023-11-02T00:00:00Z" /> 21<meta property="article:author" content"https://steve0greatness.github.io" /> 22 23<meta property="profile:first_name" content="Steve0Greatness" /> 24<meta property="profile:username" content="Steve0Greatness" /> 25<meta property="profile:gender" content="male" /> 26<meta property="og:url" content="https://steve0greatness.github.io/blog/How-to-Store-Passwords.html" /> 27 28</head> 29 30<body> 31<header> 32<h2><a href="/"><img src="/SteveLogo.webp" height="35" width="215" alt="Steve0Greatness" /></a></h2> 33<nav> 34<a href="/blog">Blog</a> 35<a href="/list/link-tree.html">Link Tree</a> 36</nav> 37</header> 38 39<nav aria-label="breadcrumbs" aria-roledescription="Site breadcrumb"> 40<ol class="breadcrumbs"> 41 42<li> 43<a href="/">Index</a> 44</li> 45 46<li > 47<a 48 49href="/blog" 50>Blog Index</a> 51</li> 52 53<li > 54<a 55aria-current="location" 56href="/blog/How-to-Store-Passwords.html" 57>How to Store a Passwords</a> 58</li> 59 60 61</ol> 62</nav> 63<main> 64<h1>How to Store a Passwords</h1> 65<article> 66<header> 67<div role="toolbar" class="toolbar"> 68<strong>Share</strong> 69<a href="https://toot.kytta.dev/?text=Take a look at this article by @S0G@mastodon.social: https://steve0greatness.github.io/blog/How-to-Store-Passwords.html" title="Share to Mastodon"> 70<img src="/toot-kytta-dev-icon.png" width="16" height="16" aria-hidden="true" title="Share to Mastodon" /> 71</a> 72<a href="/blog/How-to-Store-Passwords.html" title="Direct link"> 73<img src="/link-icon.png" width="16" height="16" aria-hidden="true" title="Direct link" /> 74</a> 75<a href="/blog/How-to-Store-Passwords.txt" title="Markdown source"> 76<img src="/md-src.png" width="16" height="16" aria-hidden="true" /> 77</a> 78</div> 79<div class="time-stamps"> 80<time datetime="2023-11-02T00:00:00-08:00">2023 Nov 2 PST</time> 81 82 83</div> 84</header> 85<p><strong>Disclaimer</strong>: The world of cyber-security is an incredibly complex and constantly evolving topic, and I am not a cyber-security researcher; I create projects for fun.</p> 86 87<p>Storing a password in a server can be intimidating. Password management is incredibly tricky, as anything you mess up could compromise your users' password(s). Thankfully, random websites you've never visited before have a pure HTML blog post from 2023 about that exact topic, and how to do it properly.</p> 88 89<p>Basically, it's just this sequence of steps:</p> 90 91<ul> 92<li>Generate a long random sequence of characters, this is called a <em><a href="https://en.wikipedia.org/wiki/Salt_(cryptography)">salt</a></em>(generate for each user, do not use a master salt)</li> 93<li>Prepend(or append, it doesn't matter, just keep it consistent) this to the user's password</li> 94<li>Use a <a href="https://en.wikipedia.org/wiki/Hash_function">hashing algorithm</a>, such as <a href="https://en.wikipedia.org/wiki/PBKDF2">PBKDF2</a>, to generate a unique sequence of characters that will uniquely identify that password.</li> 95<li>Store the salt and hash in the same place, <em>do not</em> store the password on it's own.</li> 96</ul> 97 98<p>And to check if a password is right, repeat the steps, except rather than generating a random sequence of characters, get the sequence of characters that you've stored along with the hash.</p> 99 100<h2 id="why-do-this">Why Do <em>This</em>?</h2> 101 102<p>You might be thinking: <em>That's a bit arbitrary innit?</em> And if you aren't then you can stop reading now.</p> 103 104<p>This method of storing passwords is the only way to ensure that you are securely storing them. So let's go through some other ways, and why they aren't so good.</p> 105 106<h3 id="plaintext-passwords">Plaintext Passwords</h3> 107 108<p>Storing your passwords in plaintext allows anyone who can get into your server to easily take any password they want, as no matter how good your users' password is, their account will be hacked if an unauthorized or malicious individual is able to get in.</p> 109 110<h3 id="encrypted-passwords">Encrypted Passwords</h3> 111 112<p>This is basically just plaintext with additional steps. As long as your master-key is stored somewhere, it will get stolen as soon as somebody manages to get into your system.</p> 113 114<h3 id="bare-hashing">Bare Hashing</h3> 115 116<p>A hash isn't able to be undone, meaning theoretically you should be able to <em>just</em> hash your password. This, while a fair assumption, has unfortunately been incorrect for quite some time. There are databases online that store every word in the english language(or just some words) in addition to common passwords and their hashes, and users will often use words for their passwords, even though it's insecure.</p> 117 118<p>This is where salts come in. Due to the nature of hashes, even a single change in a string will entirely change it's hash, as such, if you add a random sequence of characters to a string, then you can entirely change it's hash.</p> 119 120</article> 121</main> 122<footer> 123<div class="footer-link-list-holder" role="group"> 124<span aria-hidden="true" id="footer-label-site-details" class="footer-link-list-label">Site Meta</span> 125<ol class="footer-link-list" aria-labelledby="footer-label-site-details"> 126<li><a href="/list/website-sources-mirrors.html">Source Code and Mirrors</a></li> 127<li><a href="https://steve0greatness.github.io/extras">Extras</a></li> 128</ol> 129</div> 130<div class="footer-link-list-holder" role="group"> 131<span aria-hidden="true" id="footer-label-social-accounts" class="footer-link-list-label">Social Accounts</span> 132<ol class="footer-link-list" aria-labelledby="footer-label-social-accounts"> 133<li><a href="https://mastodon.social/@S0G" rel="me">Mastodon</a></li> 134<li><a href="https://youtube.com/@s0g">YouTube</a></li> 135<li><a href="/list/link-tree.html">More...</a></li> 136</ol> 137</div> 138</footer> 139</body> 140 141</html>