How to Safely Store Passwords, for developpers

How can you safely implement a password storage and hashing function?

Implement safe crypto for password storage in any language

Blog Single

Intro

You are developper, and want people to be able to create a unique user account, with a password, which they will use to access your application. How can you safely implement this feature?

Easiest solution

The easiest solution is to use libsodium, which provides a secure password hashing API in most languages. As of version 1.0.8 it uses the scrypt algorithm, but in the next release (1.0.9) it will also offer Argon2, the most recent, carefully-selected algorithm from the Password Hashing Competition. Libsodium offers bindings for most programming languages C/C++/.NET/Go/Java/Python/PHP/...

libsodium is a modern, high-security, cross-platform, easy-to-use software library for encryption, decryption, signatures, password hashing and more.

libsodium.org

Note: There is a published attack on Argon2i, the recommended variant of Argon2 for general purpose password hashing. The practical implications aren't severe, but it may lead to a new variant ("Argon2x" perhaps, since it would presumably use XOR instead of overwriting memory to mitigate these attacks) being christened and recommended.

Alternative

If you, for whatever reason, cannot reconcile your requirements with installing libsodium, you have other options : several password hashing libraries in multiple programming languages are also available :

PHP

This blogpost will teach you how to Securely store Password in PHP.

Java

This blogpost will teach you how to Securely store Password in Java.

C# (.NET)

This blogpost will teach you how to Securely store Password in C# (.NET).

Ruby

This blogpost will teach you how to Securely store Password in Ruby.

Python

This blogpost will teach you how to Securely store Password in Python.

Node.js

This blogpost will teach you how to Securely store Password in Node.js.

Credits

Further information can be found at https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016

Share this Post: