Passwords in Database

It is inevitable that user passwords would be stored into databases for a good amount of applications in the wild. Most of the stored passwords in databases are weakly protected or left alone in plaintext. Application developers would usually blame security as a difficult task (which is very true) and those developers without adequate knowledge of computer security and cryptography would usually do a bad job at securing sensitive data like user passwords. Database makers may also be partially faulted for not adding features that ensure strong data security which database makers would usually point out that data security is not the main aim of their databases they distribute and would push the blame back to the application developers for not making their application data secure.

Indeed security is difficult but it can be easily solved if everyone (from the application developers to the cryptographers and database makers) were to sit down and put their minds together to make security easy for plain users. Below are some suggestions that I have to make data security easy for passwords stored in databases.

1. Make crypto-libraries simple for developers and with as little frustration connected to dependencies as possible. Developers should simply need to call an easy to use API that is straightforward. Developers should not need to know a lot on cryptography to use it. An example is developers should call "passwordEncrypt('bcrypt'.'this15MyPassw0rd');" and that's all they need. If they need to tweak settings, they can call "passwordEncryptTweak('rounds',10000000);" or something similar. The API documentations should be simple and concise for the developers to use.
   
2. Database developers may want to facilitate password security by introducing a Password type object that returns a hexadecimal string of the hashed/encrypted password. All Password type objects would be hashed/eencrypted according to the algorithm set inside the database properties and should support common password hashing methods like BCRYPT, SCRYPT and PBKDF2. Furthermore, a 'authenticate()' command can be issued against a Password object that takes in a string to return a boolean output whether the password object has been authenticated correctly. This will facilitate password security stored in databases.
   
3. Store user accounts and passwords in a highly protected computer system with limited user access. One way is to setup a user database server that have a strict set of protected API that the application have to call. During authentication, the application server would pass user login request to the user account server that would valid the login before returning the response to the application server. Only the application server should have access to the user account server.
   
4. Make use of login services from login providers (Google, Facebook, Twitter ...) instead of storing user passwords and handling logins on your own.

Psuedo Password Encryption

Watch:

• http://www.arthursucks.com/2011/01/md5sum-ascii-encryption/ 

You simply use 'echo -n "" | md5sum' which simply sucks. If someone uses your terminal, they can check the history and you are gone.

Another thing to note, hashing password is NOT ENCRYPTION. Encryption uses an unknown factor called a key (layman term: a password or passphrase) !

You can also make a rainbow table or in simple terms, md5 hash all the possible passwords into a table and then match the hash and see which one matches and that's the password.

What happen if you simply clean out the history of your terminal / command line ? Doesn't that mean you are done and you need to click on the 'Forget Password' link ?

Please don't use such disingenius way of 'protecting password'. Use a proper password manager that uses properly implemented cryptographic ciphers that are true and tested to withstand attacks like the AES finalists: Rijndael, Serpent and Twofish.

Hashing is always a bad way to store password. Encrypt the password with a master password is always the way to go using a properly implemented cryptographic Password Manager.

A password manager I made: PasswordStore.