Making a hash of passwords

After so many high-profile data breaches, it's time developers learned that storing passwords is a really bad idea. And there is a perfectly workable alternative.

Last week, I went to a project meeting so I could provide security insights as some consulting software developers updated us on the customer-facing application they're building for us. But I was dumbfounded when they asked me, "How should we encrypt the passwords?" Will developers never learn?

It could well be that the developers thought I would be impressed that they were thinking about security. After all, they wanted to encrypt the passwords their database would collect. I'm sorry to say, though, that I didn't feel like patting them on the back. That's because the question that occurred to me was, "Why would you think it's a good idea to collect passwords at all?" The entire interaction took me back 10 years, and it distressed me to think that, despite all the high-profile data breaches we've seen since then, not much has changed.

Even 10 years ago, when software developers would ask data security practitioners how they should encrypt the passwords, we would respond, "You don't." The best practice that was then coming into focus was to avoid storing sensitive data provided by customers such as passwords and credit card numbers. You didn't need to store it; you could just validate it.

For passwords, it works like this. Users have to type in their username and password every time they log in. What we need to do is to take that password and hash it (compute a unique value using a hashing algorithm like MD5 or SHA), and compare that hash value to a hash value that your application previously stored in its database. If the hash values match, then the user has typed in the right password. This method eliminates the need for storing passwords. The application only needs to take the data entered into the password field and run a hash computation on it in real time, nothing further.

A decade ago, we were using the MD5 hashing algorithm. These days, MD5 is obsolete, so we use the SHA-2 algorithm instead, but the result is the same. When I wrote about this recently I called hashing a "tried-and-true technique" for developing authentication systems. I figured that by now, everyone would be doing it.

That's why I was surprised, even shocked, that today's developers are asking how to encrypt passwords for storage. They are still trying to save the user's password in their databases, so they can decrypt them and compare the actual password value entered by the user to the stored password, instead of comparing hash values. This is crazy. Any database that contains passwords can be compromised, thereby disclosing all its passwords.

And this does keep happening. LinkedIn, eBay,Twitter and others have all lost passwords in the last couple of years, and a Russian gang has reportedly collected over 1.2 billion passwords from all over the place. Are we really still storing passwords in this day and age? Am I the only one telling people not to do that?

I sent the developers home with a new assignment: Don't store passwords. Store hash values instead. They understood right away, saw it was a good idea, and agreed to do it that way. And I hope word gets around, because I hate to think we are perpetuating bad practices in the most important part of our software, the login.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

Tags data securitypasswordssecuritydata protection

More about ClickeBay

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts