How to Safely Store Your Users' Passwords in 2016

I called my bank the other day and they asked over the phone for my password. This isn't a bank I often use, I only currently have a loan through them so I've never used the login on the website. I said I don't remember setting a password. They gave me a hint about the characters in the password and I was able to remember the password based on their hint. I verbally said the password character by character and they confirmed it. This is an example of how to not handle passwords in 2016.

Bad idea to use bcrypt.hashSync in Node.js. I hate that so many tutorials use that one instead of the correct bcrypt.hash with a callback. This is Node.js for that 200 ms where you are hashing that password nothing else runs, no requests, everything stops. Here is the correct way to use bcrypt in Node.js:<p>bcrypt.genSalt(10, function(err, salt) {<p><pre><code> if (err) return; &#x2F;&#x2F;handle error bcrypt.hash(clearPassword, salt, function(err, hash) { if (err) return; &#x2F;&#x2F;handle error &#x2F;&#x2F; Store hash in your password DB. }); </code></pre> });

By not storing them <a href="https:&#x2F;&#x2F;medium.com&#x2F;the-story&#x2F;signing-in-to-medium-by-email-aacc21134fcd#.fkttu9kdh" rel="nofollow">https:&#x2F;&#x2F;medium.com&#x2F;the-story&#x2F;signing-in-to-medium-by-email-a...</a>

Serious question: What about using a Public&#x2F;Private key encryption to store the password?<p>- Private key is stored in a secure place. Offline for all i care; printed on a piece of paper; memorized and swallowed.<p>- When user creates the account - password is padded with salt, then a public key is used to encrypt it. The resulting encrypted form is stored, along with the salt.<p>- When user attempts to authenticate - the password that is provided is padded with the stored salt, encrypted with the public key and compared to the stored password.<p>Private key is never used when comparing passwords. Never available to the system doing authentication, etc.<p>The only purpose of using a reversible encryption - is to be able to switch to a different authentication provider completely transparently to the user.<p>I&#x27;ve implemented this functionality considering that we may need to switch over to active directory (or some other directory) in place of storing passwords in the database - but never used it, fearful that i would be committing some cardinal crime against proper security practices<p>Thoughts?

&gt; base64_encode(hash(&#x27;sha384&#x27;, $password, true))<p>&gt; ...<p>&gt; The above construction may invite theoretical concerns about entropy reduction (i.e. 72 characters of raw binary without any NUL bytes comes out to about 573 bits of possible entropy, but a SHA-384 hash outputs are clearly limited to 384 bits).<p>Given BCrypt hashes are a mere 184 bits, I don&#x27;t see how this is a meaningful concern even in principle. If you&#x27;re brute-forcing search spaces this big you&#x27;re no longer looking to recover a password, but find a collision.

I had no idea that PBKDF2 had fallen so much in recent years. I still remember the 1Password team extolling its virtues five years ago:<p><a href="https:&#x2F;&#x2F;blog.agilebits.com&#x2F;2011&#x2F;05&#x2F;05&#x2F;defending-against-crackers-peanut-butter-keeps-dogs-friendly-too&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.agilebits.com&#x2F;2011&#x2F;05&#x2F;05&#x2F;defending-against-crac...</a>

If you&#x27;re using node.js and you use these hashing methods, your entire server is going to pause for 0.5 seconds on a login because it runs on a single thread. Goodbye to all of your server performance.<p>You can create a worker system, or use a child process to solve this problem, but most of these articles never mention it

It would be great if, in 2020, or sooner, but probably later, the answer is &quot;don&#x27;t use passwords any more. They are deprecated components of society.&quot;

Anyone have a good explanation of why, in the Python example, they recommend `hmac.compare_digest` instead of `==` for comparison?<p>Is there something obvious I&#x27;m missing here?

Disappointed that the first solution isn&#x27;t: Let somebody else do it.<p>I know this doesn&#x27;t apply to banking, etc but 99% of the websites that &quot;require&quot; me to create an account and log in don&#x27;t need to store primary credentials for me. Please pick a secure implementation of oAuth2 and let people store their credentials wherever the hell they want to.<p>I&#x27;m bored of getting hits from &quot;Have I been pwned?&quot;

For some reason the article completely fails to link to libsodium: <a href="https:&#x2F;&#x2F;download.libsodium.org&#x2F;doc&#x2F;" rel="nofollow">https:&#x2F;&#x2F;download.libsodium.org&#x2F;doc&#x2F;</a>

I have always been impressed by the way django does it.<p><a href="https:&#x2F;&#x2F;docs.djangoproject.com&#x2F;en&#x2F;1.9&#x2F;topics&#x2F;auth&#x2F;passwords&#x2F;" rel="nofollow">https:&#x2F;&#x2F;docs.djangoproject.com&#x2F;en&#x2F;1.9&#x2F;topics&#x2F;auth&#x2F;passwords&#x2F;</a>

Assuming this is legit (seems like it), mega bonus points for walking through examples on the various platforms&#x2F;languages.

From previous discussions about this topic, I had noted down the following best practices:<p>Passwords should be scrypt&#x27;ed on client, and then, the server should generate a SHA256 hash of the scrypt&#x27;ed hash and store that in DB.<p>- Running CPU &amp; memory heavy scrypt hashing on the client side will allow us to use bigger hashing work-loads.<p>- EDIT: Removing the MITM point, because as many said, that&#x27;s the job of TLS anyway.<p>- External brute force attackers will have to take the burden of heavy hashing. No DOSing through scrypt.<p>- Storing SHA256 hash instead of scrypt hash on DB means even if DB is stolen, attackers can&#x27;t use stolen scrypt hashes to authenticate any client.<p>I would love to get others&#x27; feedback on this. EDIT: Found the reference: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=9305504" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=9305504</a>

Wish there was a site where it lists algorithms and gives a table, and an ability to compare it to x years ago:<p>algorith | fairly safe difficulty (all variables) | very safe difficulty without incurring too much performance cost.<p>pbkdf + sha1 | completely unsafe | completely unsafe<p>pbkdf + sha2 | 100000 | ...<p>pbkdf + sha256<p>bcrypt<p>scrypt<p>argon2

I&#x27;m part of the Paragon Initiative Enterprises team and have access to edit the blog. If you have any questions (AMA) or would like to suggest any additions, please let me know.

Perl programmers should try this module: Crypt::ScryptKDF I have been using it for a while now

What I find frustrating is the lack of availability of most of these algorithms for the most common platforms (.net, php, java). The author recommendation seems to be driven by availability, not the algorithms own merits.

I believe the Ruby example is incorrect: When checking a password&#x27;s validity, you must use a constant-time comparison or else you are exposing a vulnerability to side-channel timing attacks.<p>There is an open issue in Coda Hale&#x27;s bcrypt repo about this: <a href="https:&#x2F;&#x2F;github.com&#x2F;codahale&#x2F;bcrypt-ruby&#x2F;pull&#x2F;119" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;codahale&#x2F;bcrypt-ruby&#x2F;pull&#x2F;119</a><p>My stance on posting &quot;best practice&quot; articles is: you must follow <i>all</i> best practices in them.<p>&lt;Edited for clarity&gt;

Hashicorp&#x27;s Vault (vaultproject.io) is also an excellent way of controlling access to secrets and back ends, such as PostgreSQL.<p>It&#x27;s worth spending the time to learn, implement, and integrate into the security best practices you should already be deploying.

Here&#x27;s yesterday&#x27;s discussion for the exact same post (maybe the duplicate search failed this time?)<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11108481" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11108481</a>

Or, we could move to not storing passwords at all, viz client certs and SRP.

I kind of don&#x27;t like this article. I think we should be teaching people best practice for securing and storing a password, not simply giving them a library.

I believe that the safest way is not to save them. Instead, outsource this to a few select OAuth providers which you and your customers are willing to trust.

&quot;How to Safely Store a Password in 2016&quot;<p>Don&#x27;t. Unless it&#x27;s 100% absolutely necessary.<p>If you must, continue reading on.

Ruby&#x27;s argon2 gem is pretty good!

Storing passwords is like storing credit card numbers - just don&#x27;t do it

I&#x27;m curious if any D developers care to share their approach to this?

Does Argon2 have an official website and repo or is it just the PHC repo?

For anyone who reads the comments before clicking the article, the subject is storing your users&#x27; passwords, not managing your passwords for a variety of services. I had interpreted it as the latter. A better title might be &quot;How to Safely Store Your Users&#x27; Passwords in 2016&quot;.<p>(Title is currently: &quot;How to Safely Store a Password in 2016&quot;)

&gt; PBKDF2 (nearly everyone except FIPS agrees this is the worst of the acceptable options)<p>is that true?

I use an ultra secure method for my passwords, it is 100% unhackable.<p>Proprietary Analog Password Encryption Routines.

Lame title. Story talks about storing password hashes and not passwords. I&#x27;m still looking for a solution to storing actual user passwords. Scenario: All laptops in the company have a unique local administrator password. How do I manage this effectively as a domain admin?