A mirror of my website's source code.

By using this site, you agree to have cookies stored on your device, strictly for functional purposes, such as storing your session and preferences.

Dismiss

 How-to-Store-Passwords.html

View raw Download
text/html • 7.04 kiB
HTML document, ASCII text, with very long lines (423)
        
            
1
<!DOCTYPE html>
2
<html lang="en-us" prefix="og: https://ogp.me/ns# article: http://ogp.me/ns/article# profile: https://ogp.me/ns/profile#">
3
4
<head>
5
6
7
<meta charset="UTF-8" />
8
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
9
<title>How to Store a Passwords - S0G</title>
10
<link rel="stylesheet" href="/src/global.css" />
11
<meta property="og:locale" content="en_US" />
12
<meta property="og:site_name" content="Steve0Greatness" />
13
<meta property="og:image" content="/OG-Image.png" />
14
15
<link rel="stylesheet" href="/src/code-blocks.css" />
16
<link rel="stylesheet" href="/src/blog.css" />
17
<link rel="alternate" href="/blog/How-to-Store-Passwords.txt" type="text/plain" title="Post source" />
18
<meta property="og:title" content="How to Store a Passwords" />
19
<meta property="og:type" content="article" />
20
<meta property="article:published_time" content="2023-11-02T00:00:00Z" />
21
<meta property="article:author" content"https://steve0greatness.github.io" />
22
23
<meta property="profile:first_name" content="Steve0Greatness" />
24
<meta property="profile:username" content="Steve0Greatness" />
25
<meta property="profile:gender" content="male" />
26
<meta property="og:url" content="https://steve0greatness.github.io/blog/How-to-Store-Passwords.html" />
27
28
</head>
29
30
<body>
31
<header>
32
<h2><a href="/"><img src="/SteveLogo.webp" height="35" width="215" alt="Steve0Greatness" /></a></h2>
33
<nav>
34
<a href="/blog">Blog</a>
35
<a href="/list/link-tree.html">Link Tree</a>
36
</nav>
37
</header>
38
39
<nav aria-label="breadcrumbs" aria-roledescription="Site breadcrumb">
40
<ol class="breadcrumbs">
41
42
<li>
43
<a href="/">Index</a>
44
</li>
45
46
<li >
47
<a
48
49
href="/blog"
50
>Blog Index</a>
51
</li>
52
53
<li >
54
<a
55
aria-current="location"
56
href="/blog/How-to-Store-Passwords.html"
57
>How to Store a Passwords</a>
58
</li>
59
60
61
</ol>
62
</nav>
63
<main>
64
<h1>How to Store a Passwords</h1>
65
<article>
66
<header>
67
<div role="toolbar" class="toolbar">
68
<strong>Share</strong>
69
<a href="https://toot.kytta.dev/?text=Take a look at this article by @S0G@mastodon.social: https://steve0greatness.github.io/blog/How-to-Store-Passwords.html" title="Share to Mastodon">
70
<img src="/toot-kytta-dev-icon.png" width="16" height="16" aria-hidden="true" title="Share to Mastodon" />
71
</a>
72
<a href="/blog/How-to-Store-Passwords.html" title="Direct link">
73
<img src="/link-icon.png" width="16" height="16" aria-hidden="true" title="Direct link" />
74
</a>
75
<a href="/blog/How-to-Store-Passwords.txt" title="Markdown source">
76
<img src="/md-src.png" width="16" height="16" aria-hidden="true" />
77
</a>
78
</div>
79
<div class="time-stamps">
80
<time datetime="2023-11-02T00:00:00-08:00">2023 Nov 2 PST</time>
81
82
83
</div>
84
</header>
85
<p><strong>Disclaimer</strong>: The world of cyber-security is an incredibly complex and constantly evolving topic, and I am not a cyber-security researcher; I create projects for fun.</p>
86
87
<p>Storing a password in a server can be intimidating. Password management is incredibly tricky, as anything you mess up could compromise your users' password(s). Thankfully, random websites you've never visited before have a pure HTML blog post from 2023 about that exact topic, and how to do it properly.</p>
88
89
<p>Basically, it's just this sequence of steps:</p>
90
91
<ul>
92
<li>Generate a long random sequence of characters, this is called a <em><a href="https://en.wikipedia.org/wiki/Salt_(cryptography)">salt</a></em>(generate for each user, do not use a master salt)</li>
93
<li>Prepend(or append, it doesn't matter, just keep it consistent) this to the user's password</li>
94
<li>Use a <a href="https://en.wikipedia.org/wiki/Hash_function">hashing algorithm</a>, such as <a href="https://en.wikipedia.org/wiki/PBKDF2">PBKDF2</a>, to generate a unique sequence of characters that will uniquely identify that password.</li>
95
<li>Store the salt and hash in the same place, <em>do not</em> store the password on it's own.</li>
96
</ul>
97
98
<p>And to check if a password is right, repeat the steps, except rather than generating a random sequence of characters, get the sequence of characters that you've stored along with the hash.</p>
99
100
<h2 id="why-do-this">Why Do <em>This</em>?</h2>
101
102
<p>You might be thinking: <em>That's a bit arbitrary innit?</em> And if you aren't then you can stop reading now.</p>
103
104
<p>This method of storing passwords is the only way to ensure that you are securely storing them. So let's go through some other ways, and why they aren't so good.</p>
105
106
<h3 id="plaintext-passwords">Plaintext Passwords</h3>
107
108
<p>Storing your passwords in plaintext allows anyone who can get into your server to easily take any password they want, as no matter how good your users' password is, their account will be hacked if an unauthorized or malicious individual is able to get in.</p>
109
110
<h3 id="encrypted-passwords">Encrypted Passwords</h3>
111
112
<p>This is basically just plaintext with additional steps. As long as your master-key is stored somewhere, it will get stolen as soon as somebody manages to get into your system.</p>
113
114
<h3 id="bare-hashing">Bare Hashing</h3>
115
116
<p>A hash isn't able to be undone, meaning theoretically you should be able to <em>just</em> hash your password. This, while a fair assumption, has unfortunately been incorrect for quite some time. There are databases online that store every word in the english language(or just some words) in addition to common passwords and their hashes, and users will often use words for their passwords, even though it's insecure.</p>
117
118
<p>This is where salts come in. Due to the nature of hashes, even a single change in a string will entirely change it's hash, as such, if you add a random sequence of characters to a string, then you can entirely change it's hash.</p>
119
120
</article>
121
</main>
122
<footer>
123
<div class="footer-link-list-holder" role="group">
124
<span aria-hidden="true" id="footer-label-site-details" class="footer-link-list-label">Site Meta</span>
125
<ol class="footer-link-list" aria-labelledby="footer-label-site-details">
126
<li><a href="/list/website-sources-mirrors.html">Source Code and Mirrors</a></li>
127
<li><a href="https://steve0greatness.github.io/extras">Extras</a></li>
128
</ol>
129
</div>
130
<div class="footer-link-list-holder" role="group">
131
<span aria-hidden="true" id="footer-label-social-accounts" class="footer-link-list-label">Social Accounts</span>
132
<ol class="footer-link-list" aria-labelledby="footer-label-social-accounts">
133
<li><a href="https://mastodon.social/@S0G" rel="me">Mastodon</a></li>
134
<li><a href="https://youtube.com/@s0g">YouTube</a></li>
135
<li><a href="/list/link-tree.html">More...</a></li>
136
</ol>
137
</div>
138
</footer>
139
</body>
140
141
</html>