EP 57 : How can you make your password more secure?
Read Time : 3 Mins
Security is the most important yet neglected part of our development. Security should be our top consideration from the coding phase of any application.
Today, I will share how we can create almost unbreakable passwords.
We have the following approaches to save passwords:
Plain text password (Not effective)
Text password but encoded (Not effective)
Hash {Salt + password} (Effective)
Hash {Salt + Peeper + Password} ( Most effective)
What is the problem with the first two approaches?
The first two types of passwords could be victims of brute-force attacks following dictionary attacks with a combination of common hashing algorithms.
What is Salt and how it works?
Salt is nothing else than a random string. At the time of user creation, we generate a random string and save it along with our user's other information in the user’s table.
One can also use GUID as a SALT, but using a random generator is more common.
The following code can be used to generate random salt in C# :
→ On user creation, we generate a SALT and then encode our password with this SALT.
SalatedPassword = Password + Salt
Then we convert it to bytes
And hash it using a string hashing algorithm (e.g. SHA256, SHA512)
→ On-user retrieval
Retrieve user based on email or username
Get its salt, combine it with the password coming in a request
Hash it using the same algorithm used earlier
If the password coming from the database matches this hashed password you are good to go
This approach is effective but what’s the problem with adding an extra layer that will hardly take a couple of lines of code and a few minutes but that is +1 more secure than the salt approach
What is Peeper and how does it work with Salt and Password?
Once again peeper is a fancy term nothing else than a string. We create a random key, you can use online tools as well that generate random strong strings.
Save that sting somewhere secure e.g. (Environment variables or user secrets) as per your environment suitability ( Development, Staging, or Production).
It comes with an extra security effort of keeping your peeper in a safe place.
On user creation generate salt and then:
SaltPeeperPassword = Password + Salt + Peeper
Then we convert it to bytes
And hash it using a string hashing algorithm (e.g. SHA256, SHA512)
Choose the hashing algorithm of your choice by exploring them
On-user retrieval
Retrieve user based on email or username
Get salt, and pepper and combine with the password
Hash it using the same algorithm
If the password matches you are good to go
(Salt + Peeper + Password) with N iterations for hashing
In this approach, we iterate the hashing process up to n time e.g. three, four, or five times, and save the final version of the password in the database. This approach is the most secure.
Make sure you use the same n for saving this password and then retrieving it. One can save iterations count in app settings and retrieve it as needed.
The hashing code can be found at Microsft Docs, the main idea was to explain the concept of the Salt and pepper approach.
Whenever you’re ready, there are 2 ways I can help you:
Promote yourself to 10000+ subscribers by sponsoring this newsletter
Patreon Community: Join and gain access to the 200+ articles I have published so far in one place. Join here