by Daniel Fernandez <dfernandez AT users.sourceforge.net>

There are some intuitive reasons for this: our data stores can be compromised, and so can our communications. But the most important reason is that we have to think of our users' passwords as sensitive personal data . Their passwords are their key to their privacy, so they are personal, they are sensitive, and no one (not even us) has the right to know them. And we must honor this if we want to gain our user's trust.

Almost all modern web applications need, in one way or another, to encrypt their users' passwords. We could say that, from the moment that an application has users, and users sign in using a password, these passwords have to be stored in an encrypted way.

2. The algorithm

So, we have to encrypt passwords, but... how? Here comes our first rule:

I. Encrypt passwords using one-way techniques, this is, digests.

This is because, except for some specific scenarios (mainly regarding legacy integration), there is absolutely no reason for a password being decrypted. If you encrypt your passwords using password-based encryption (a two-way technique) and an attacker gets to know your encryption password, all of your user passwords will be revealed (and, probably, all at a time). If you don't have such encryption password (or key) to be able to decrypt, this risk disappears, and the attacker will have to trust on brute force or similar strategies.

'But what if one of my users loses his/her password? Can't I remind it to him/her?'

The answer is a loud and clear NO. Not only you cannot do such a thing as reminding their passwords to them, but in fact you should not even have a way to get to read/know/see your users' passwords, no matter if you are the system administrator! If one of your users loses his/her password, just reset it to a new value and send him/her a message to a verified email address with the new one, asking to change it as soon as possible.

Now that it is clear that password digesting is a must, which digest algorithm should we use? Well, there are several, and it largely depends on your needs. The most used ones are:

MD5 algorithm

SHA family: SHA-1 algorithm and SHA-2 variants (SHA-224, SHA-256, SHA-384 and SHA-512)

In most cases, both MD5 or SHA-1 will be adequate choices for password digesting, although applying these algorithms will not be enough, as we will see later on.

When we are told that we should use digests for password encryption, and given that digests are one-way techniques, the next question that arises to our minds usually is: 'If I cannot decrypt passwords... how will I check if my users entered the right one?'

There is a very simple answer to this question, which we will adopt as our second rule:

II. Match input and stored passwords by comparing digests, not unencrypted strings.

Which means that, once our users have entered their passwords at sign in, we will digest their input with the same algorithm we have previously used when storing the password, and then compare both digests. As digest algorithms guarantee that two equal inputs will get equal digests (which is not true in the opposite direction), if digests match we can then consider the password input by the user as valid.