Keywords: Password Security | Hash Functions | Salting Techniques | bcrypt | PBKDF2 | Database Security
Abstract: This article provides an in-depth analysis of core principles and technical solutions for securely storing user passwords in databases. By examining the pros and cons of plain text storage, encrypted storage, and hashed storage, it emphasizes the critical role of salted hashing in defending against rainbow table attacks. The working principles of modern password hashing functions like bcrypt and PBKDF2 are detailed, with C# code examples demonstrating complete password verification workflows. The article also discusses security parameter configurations such as iteration counts and memory consumption, offering developers a comprehensive solution for secure password storage.
The Importance of Password Storage Security
In modern web application development, user authentication systems are essential core components. However, secure password storage often becomes a vulnerability in system security. Statistics show that over 80% of data breaches are related to password security issues. This article provides a technical deep-dive into best practices for password storage.
Dangers of Plain Text Storage
Storing passwords in plain text within databases is extremely dangerous. If a database is compromised, attackers can directly obtain all users' original passwords. This not only jeopardizes the security of a single application but may also lead to account theft on other services, as many users reuse passwords across different platforms.
Limitations of Encrypted Storage
While encryption provides some level of protection, reversible encryption algorithms still pose security risks. If attackers obtain the encryption key, they can decrypt all passwords. Additionally, the encryption process requires managing key lifecycles, increasing system complexity.
Fundamentals of Hash Functions
Hash functions transform inputs of any length into fixed-length outputs through mathematical operations. Ideal password hash functions should possess the following characteristics: one-wayness, collision resistance, and avalanche effect. However, traditional hash functions like MD5 and SHA1 have proven vulnerable and are unsuitable for password storage.
Technical Implementation of Salted Hashing
Salting is a key technique for enhancing password security. Salt values should be unique random strings for each user, recommended to be at least 16 bytes in length. Example C# code for implementing salted hashing:
using System;
using System.Security.Cryptography;
using System.Text;
public class PasswordHasher
{
public static string GenerateSalt(int size = 16)
{
byte[] saltBytes = new byte[size];
using (var rng = RandomNumberGenerator.Create())
{
rng.GetBytes(saltBytes);
}
return Convert.ToBase64String(saltBytes);
}
public static string HashPassword(string password, string salt)
{
using (var sha256 = SHA256.Create())
{
byte[] passwordBytes = Encoding.UTF8.GetBytes(password + salt);
byte[] hashBytes = sha256.ComputeHash(passwordBytes);
return Convert.ToBase64String(hashBytes);
}
}
public static bool VerifyPassword(string password, string salt, string storedHash)
{
string computedHash = HashPassword(password, salt);
return computedHash == storedHash;
}
}Defending Against Rainbow Table Attacks
Rainbow tables are precomputed tables of hash values that enable quick reverse lookup of original passwords. Salted hashing makes rainbow table attacks infeasible by adding unique salt values to each password. Even if two users have identical passwords, their hash values will differ due to different salts.
Modern Password Hashing Functions
bcrypt is an algorithm specifically designed for password hashing, based on the Blowfish encryption algorithm. It features configurable computational cost, allowing iteration counts to increase with hardware performance improvements. Example of using bcrypt in C#:
using BCrypt.Net;
public class BcryptPasswordHasher
{
public static string HashPassword(string password)
{
return BCrypt.HashPassword(password, workFactor: 12);
}
public static bool VerifyPassword(string password, string hashedPassword)
{
return BCrypt.Verify(password, hashedPassword);
}
}Application of PBKDF2 Algorithm
PBKDF2 (Password-Based Key Derivation Function 2) is another widely used password hashing algorithm. It increases computational cost through multiple iterations of hash functions. C# has built-in PBKDF2 implementation:
using System.Security.Cryptography;
public class Pbkdf2Hasher
{
private const int SaltSize = 16;
private const int HashSize = 32;
private const int Iterations = 10000;
public static string HashPassword(string password)
{
byte[] salt = new byte[SaltSize];
using (var rng = RandomNumberGenerator.Create())
{
rng.GetBytes(salt);
}
byte[] hash = Rfc2898DeriveBytes.Pbkdf2(
password, salt, Iterations, HashAlgorithmName.SHA256, HashSize);
byte[] hashBytes = new byte[SaltSize + HashSize];
Array.Copy(salt, 0, hashBytes, 0, SaltSize);
Array.Copy(hash, 0, hashBytes, SaltSize, HashSize);
return Convert.ToBase64String(hashBytes);
}
public static bool VerifyPassword(string password, string hashedPassword)
{
byte[] hashBytes = Convert.FromBase64String(hashedPassword);
byte[] salt = new byte[SaltSize];
Array.Copy(hashBytes, 0, salt, 0, SaltSize);
byte[] storedHash = new byte[HashSize];
Array.Copy(hashBytes, SaltSize, storedHash, 0, HashSize);
byte[] computedHash = Rfc2898DeriveBytes.Pbkdf2(
password, salt, Iterations, HashAlgorithmName.SHA256, HashSize);
return CryptographicOperations.FixedTimeEquals(computedHash, storedHash);
}
}Iteration Counts and Computational Cost
Appropriately increasing hash function iteration counts significantly raises computational costs for attackers while minimally impacting legitimate user experience. Recommended iteration counts should be adjusted based on current hardware performance, typically 10,000+ for PBKDF2 and work factor 12+ for bcrypt.
Database Table Structure Design
Proper database table structure is crucial for password security. Recommended user table structure should include the following fields:
CREATE TABLE Users (
UserId INT PRIMARY KEY IDENTITY,
Username NVARCHAR(50) UNIQUE NOT NULL,
PasswordHash NVARCHAR(256) NOT NULL,
Salt NVARCHAR(24) NOT NULL,
CreatedAt DATETIME2 DEFAULT GETDATE(),
LastLogin DATETIME2 NULL
);Complete Authentication Flow Implementation
A complete user authentication system based on the above technologies should include user registration, login verification, and password reset modules. Below is a complete user registration workflow example:
public class AuthenticationService
{
public bool RegisterUser(string username, string password)
{
// Validate password strength
if (!IsPasswordStrong(password))
return false;
// Generate salt
string salt = PasswordHasher.GenerateSalt();
// Calculate password hash
string passwordHash = PasswordHasher.HashPassword(password, salt);
// Store in database
return SaveUserToDatabase(username, passwordHash, salt);
}
public bool AuthenticateUser(string username, string password)
{
// Retrieve user information from database
var user = GetUserFromDatabase(username);
if (user == null) return false;
// Verify password
return PasswordHasher.VerifyPassword(password, user.Salt, user.PasswordHash);
}
private bool IsPasswordStrong(string password)
{
// Implement password strength checking logic
return password.Length >= 8
&& password.Any(char.IsUpper)
&& password.Any(char.IsLower)
&& password.Any(char.IsDigit);
}
}Security Best Practices Summary
Based on the above analysis, best practices for database password storage include: using dedicated password hashing functions, generating unique salts for each user, setting appropriate iteration counts, enforcing strong password policies, and regularly updating security parameters. Adhering to these principles significantly enhances system security and protects user data from attacks.