Question

I want to securely store user passwords in my database but am unsure of the best hashing and encryption techniques to use. What are the current best practices for hashing passwords before saving them, and how can I ensure that the storage method meets modern security standards?

Any advice on salt generation, secure hashing algorithms, or code examples would be beneficial.

Answer 1

To securely store passwords in a database, follow these best practices:

1. Use a Strong Hashing Algorithm: Hash passwords with a secure algorithm like bcrypt, Argon2, or PBKDF2. Avoid using SHA-1 or MD5 as they are no longer considered secure.

2. Add a Salt: Generate a unique, random salt for each password. This helps prevent rainbow table attacks by making identical passwords produce different hashes.

3. Avoid Encryption: Passwords should be hashed, not encrypted. Hashing is one-way, meaning it can’t be reversed, while encryption is reversible, which could expose passwords if keys are leaked.

4. Set a High Cost Factor: Hashing algorithms like bcrypt and Argon2 allow you to set a "cost" or "work factor," which defines the hashing complexity. Use a high cost factor (e.g., bcrypt cost of 12 or above) to make brute-force attacks slower.

Here’s how you could implement secure password storage using bcrypt in Python:

import bcrypt

# Hashing a password
password = b"your_password_here"
salt = bcrypt.gensalt()  # Generate salt
hashed_password = bcrypt.hashpw(password, salt)  # Hash with salt

# Verifying a password
is_correct = bcrypt.checkpw(password, hashed_password)
print("Password is correct:", is_correct)