2.2: Salting and Hashing Passwords

Right now, if we add users to our database - their password information will be saved in plain text. This is a big security vulnerability. In this module we'll learn how to protect sensitive information in our databases.

Hashing

We'll start by hashing passwords entered into the database.

This will encrypt the string using an algorithm (SHA 512 in this case) into a series of hexadecimals.

password

becomes:

b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86

Looks good, right? Now our password is protected!

The problem is - while a human would have a difficult time decoding his - for a computer it is trivial.

Go to this site and paste in the above hash and click decrypt.

Whoops. That isn't so safe after all.

Another problem is that all passwords that are the same will also share the same hash in our database. A hacker could use a "rainbow table" of common password hashes.

Salting

To futher protect our passwords, we can add a "salt" before the password is hashed. The salt is randomly generated based on a protected "key."

Now, when the password is hashed with a random salt - the password will result in a different series of bytes each time.

Previous2.1: Add Migration and Database Next2.3: Adding Auth Service

Last updated 6 years ago