How can you make your password more secure?
Security is the most important yet neglected part of our development. Security should be our top consideration from the coding phase of any application.
Today, I will share how we can create almost unbreakable passwords.
We have the following approaches to save passwords:
-
Plain text password (Not effective)
-
Text password but encoded (Not effective)
-
Hash {Salt + password} (Effective)
-
Hash {Salt + Peeper + Password} ( Most effective)
What is the problem with the first two approaches?
The first two types of passwords could be victims of brute-force attacks following dictionary attacks with a combination of common hashing algorithms.
What is Salt and how it works?
Salt is nothing else than a random string. At the time of user creation, we generate a random string and save it along with our user’s other information in the user’s table.
One can also use GUID as a SALT, but using a random generator is more common.
The following code can be used to generate random salt in C# :
int saltByteSize = ..;
using var rng = RandomNumberGenerator.Create();
var byteSalt = new byte[saltByteSize];
rng.GetBytes(byteSalt);
var salt = Convert.ToBase64String(byteSalt);
→ On user creation, we generate a SALT and then encode our password with this SALT.
-
SalatedPassword = Password + Salt
-
Then we convert it to bytes
-
And hash it using a string hashing algorithm (e.g. SHA256, SHA512)
→ On-user retrieval
-
Retrieve user based on email or username
-
Get its salt, combine it with the password coming in a request
-
Hash it using the same algorithm used earlier
-
If the password coming from the database matches this hashed password you are good to go
This approach is effective but what’s the problem with adding an extra layer that will hardly take a couple of lines of code and a few minutes but that is +1 more secure than the salt approach
What is Peeper and how does it work with Salt and Password?
Once again peeper is a fancy term nothing else than a string. We create a random key, you can use online tools as well that generate random strong strings.
Save that sting somewhere secure e.g. (Environment variables or user secrets) as per your environment suitability ( Development, Staging, or Production).
It comes with an extra security effort of keeping your peeper in a safe place.
On user creation generate salt and then:
-
SaltPeeperPassword = Password + Salt + Peeper
-
Then we convert it to bytes
-
And hash it using a string hashing algorithm (e.g. SHA256, SHA512)
Choose the hashing algorithm of your choice by exploring them
On-user retrieval
-
Retrieve user based on email or username
-
Get salt, and pepper and combine with the password
-
Hash it using the same algorithm
-
If the password matches you are good to go
(Salt + Peeper + Password) with N iterations for hashing
In this approach, we iterate the hashing process up to n time e.g. three, four, or five times, and save the final version of the password in the database. This approach is the most secure.
Make sure you use the same n for saving this password and then retrieving it. One can save iterations count in app settings and retrieve it as needed.
The hashing code can be found at Microsft Docs, the main idea was to explain the concept of the Salt and pepper approach.
Whenever you're ready, there are 3 ways I can help you:
- Subscribe to my youtube channel : For in-depth tutorials, coding tips, and industry insights.
- Promote yourself to 9,000+ subscribers : By sponsoring this newsletter
- Patreon community : Get access to all of my blogs and articles at one place