What can safe crackers and hamburgers teach us about preventing password security breaches? And what’s the difference between encryption and hashing anyway? Salting? Bcrypt? We all know that password security is very important; the fear of a password security breach keeps developers up at night, and if it happens at the wrong time it can shatter users’ confidence in your software or stunt your application’s growth. There are a lot of different ways to protect passwords, so how do we know which one to choose?
In this video, I’ll explain the differences between two common password protection methods, encryption and hashing, and I’ll show why they alone are not enough to protect your password database. Hackers have sophisticated ways to crack encryption keys; once they get that key it is like they have a combination to a safe and can loot everything inside. While hashing is a one-way function and offers a level of protection, rainbow tables and pre-computed tables enable hackers the opportunity compromise your application.
So what is an application developer to do? In this video I talk about the importance of first salting a password (or appending a long string of random characters) before hashing. I also provide a recommendation for a slow hashing algorithm to foil hackers with minimal disruption to the user experience of your application.
Be sure to check out Bret’s previous series where he talks about the three things that developers should monitor along with screencasts of how to setup the tools.