Online security is one of the biggest risks for your customers. One faulty security process and your customers could be victims of identity theft and fraud. When you create a website for anyone, you should take the utmost care in securing data that’s stored in your database. Hackers will go for your database at some point, especially if your site becomes popular. Here are some tips for securing your users’ passwords.
Use OAuth and Store Nothing
There are several third-party APIs on the market that take care of the whole process for you. These third-party sites use a procedure called OAuth that passes an authorization token to you after a user logs in securely. For instance, Facebook is a popular way to authenticate users. You use a button that displays “Log in with Facebook” on your site. Users enter credentials using Facebook, and they no longer need to create a new user name and password for your site. You aren’t responsible for housing anyone’s credentials, which takes a lot of pressure off of the development team. If a hacker gains access to your database, he only gets a security token, which doesn’t give him access to any real data.
Never Store Passwords in Clear Text
If you can’t let someone else handle authentication, then you’re stuck storing passwords. All passwords should be stored in encrypted form. There are two types of encryption: one-way and two-way. Always store one-way encryption passwords. One-way encryption can’t be decrypted. The only way for a hacker to figure out a one-way encrypted password is to run through a list of dictionary words, encrypt words using a key and then see if the encrypted value matches the value stored in your database. As you can guess, this can take years to accomplish, and by that time, your users have hopefully changed passwords.
Two-way encrypted passwords can be decrypted. You only want to store two-way encrypted passwords if you need to ever pass a plain text password to another provider. This action is obviously full of privacy and security flaws, so it’s only used in very rare occasions. Even if you need to decrypt user passwords at some point, never pass them across unencrypted protocols. Always use HTTPS to pass user passwords across the Internet.
Use a Slow Encryption Scheme But Not Too Slow
Slowing your application probably doesn’t make sense at first, but there is a reason you want to slow the encryption process. You want to slow down hack attempts, because most of these attacks are scripted. The slower your encryption scheme, the longer it takes for a hacker to run scripts on your database.
Obviously, you don’t want to create such a slow encryption process that users complain about performance issues. You want to balance the encryption process with the performance of your application. For the most part, the only way to balance the two performance scenarios is to test your application with different encryption schemes.
Don’t Try to Invent Your Own Encryption Algorithm
It’s tempting to be the next encryption algorithm inventor, but hackers are smart at figuring out basic algorithms. Don’t try to create your own. Hackers will likely figure out the scheme and crack it within a few days. Your algorithm and user data then gets posted to darknet where several security experts will chastise you for your poor security choices.
These four tips will save you some headaches when it’s time to store and secure your users’ data. Even though it seems like no one will ever gain access to your database, encrypting data and securing your users’ data will save the company a lot of money and preserve its reputation if password storage security is implemented properly.
Print this article