Password Storage Cheat Sheet

= DRAFT CHEAT SHEET - WORK IN PROGRESS =

= Introduction =

This article is focused on providing guidance to storing a password in order to help prevent password theft. Too often passwords are stored as clear text. Thus the password can be read directly by the database’s administrator, super users or via data theft by SQL Injection. Database backup media is also vulnerable to password theft via password storage. It is recommended that you avoid storing the clear text password or an encrypted version of the password.

Password Storage Rules
Passwords are secrets. There is no reason to decrypt them under any circumstances. It is crucial that passwords are stored in a way that they can be *verified* but not *reversed* in any way, even by insiders. To accomplish this, store the salted hashed value of the password. Preferably use a different random salt for each password hash instead of a constant long salt.


 * 1) Use a modern hash
 * 2) SHA
 * 3) bcrypt
 * 4) Use a long cryptographically random salt
 * 5) Isolate the salt from the hash
 * 6) Iterate the hash