These days, every other site’s database gets hacked and user login details are made available online. Whatever is happening is pretty sad but it’s really not possible to make ourselves 100% secure and hack proof. But yes, it’s definitely possible to be extra cautious to avoid heavy loss in these kind of situations.

The most important part in the user database is “password hashes”. I think these days, most of the sites have adopted one way encryption. Yeah, there are few large sites who still prefer storing their user passwords in simple text or 2 way encryption format, but let’s not talk about those.

So, coming back to one way encryption. The simple method to do this is by using MD5 hashes or SHA-1 hashes. It’s pretty much secured with no major issues with decryption. Yeah, hashes can be matched with huge list of words in the dictionary (or any collection of words) and this is what generally hackers do.

So, in short, storing passwords in simple MD5 / SHA-1 hashes is not enough too. Say, in case of breach like LinkedIn, the passwords were stored in simple SHA-1 hash, so the hackers compared the hashes with huge list of words and were able to decrypt millions of passwords.

So, how do we prevent something like this in future? Here is how:

  • Use Salt. You can create one key of say 64 characters and every time a user registers, the password hashes will be merged with the salt and a new hash will be generated with this combination. So, if you use this, all the user passwords will be merged with same salt. It will become impossible to compare the hashes with list of words without the salt hash.
  • Above method is generally used in recent times but this is what you can do, if you still want to add one more layer of security. At the time of user registration, generate a random salt for that particular user, store salt in the database along with the password. The password hash will now have, hashes of password merged with hashes of the salt. On the top of it, you can merge one more salt value which can be stored in your config file. So, this way, your password will have be unique combination of hashes every time. Yeah, the hackers will get access to your random salt from database (in case of database hack) but it will surely make their life difficult at the time of decryption or comparing with the list of words.
  • Another thing you can do is, implement any of the above points, create a new table for password & map user IDs to it. So, even if the password table is hacked, the usernames won’t be revealed as both are not in the same table.

I guess, above points should add a decent security layer on your web site / application. Obviously, whatever I have mentioned is not rocket science, your site won’t turn to hack proof if you implement any of the above points or any other methods but it will surely make decryption difficult.

Like always. Suggestions are welcome.