Secure Passwords with Salt, Pepper and Hash. What?!

Passwords are the bane of our online presence. A lot of data breaches and account compromises can be traced back to poor password hygiene. Effective password management is a nightmare, both for service providers and users alike. Difficult to get right, but easy to get wrong.

There are plenty of secure design patterns and anti-patterns to consider as an application developer (links in References below). There is also a growing trend of passwordless authentication techniques (and startups!), but the jury is still out on the security benefits versus the added user friction. For the time being though, passwords are inevitable. This post will focus on three simple password management techniques that can be considered by all developers tasked with securing our passwords.

First, Hash the Passwords

Want to know the single best thing you can do? Do not store passwords in plaintext. Under any circumstances. Instead, require a strong password and store a hash of the password i.e. a non-reversible, cryptographically-generated representation. Do not also use reversible encryption techniques, outdated hashing algorithms like MD5 and SHA1, or (even worse) your own algorithms! Prefer battle-tested contemporary algorithms like Argon2id or bcrypt. OWASP has a good cheat sheet on specific configuration parameters you can use.

Next, Salt to Taste

Hashing alone is not sufficient though, as it can be subject to brute-force attacks. Dictionaries of common password hashes as well as dumps from several data breaches are also available online, making password cracking fairly trivial without the right countermeasures. Hence, add a unique, randomly generated string (i.e. salt) to each password as part of the hashing process. The salt is typically unique for a user, making it significantly harder for the attacker, who now cannot use pre-computed hashes or compare hashes across users.

Finally, Use a Pepper for Additional Flavour

To make this system more secure, you can add a pepper that is stored outside the database. The pepper is typically a symmetric encryption key, stored in a secrets vault and shared across the hashed passwords. This technique adds protection against a database compromise via SQL injection or other means. Follow good secret management practices and rotate the pepper periodically.

Of course, as new threat vectors or vulnerabilities in the hashing algorithms are discovered, these techniques may need to be upgraded. But, until then, a combination of salt, pepper and hash will make for a great password recipe!

References

1. Password Storage Cheat Sheet by OWASP
2. Modern Password Security for System Designers by Google
3. Modern Password Security for Users by Google