The Password Security Guide Every Developer Needs to Read.
Protect Your Data Like a Pro: 4 Powerful Methods for Securing Passwords
Why Should We Secure Passwords?
In the digital world, passwords are the primary keys to accessing various services, such as email, social media accounts, and banking systems. If passwords are not properly secured, personal data and sensitive information can be stolen by hackers. Some key reasons why we should secure passwords include:
- Preventing unauthorized access: If a password leaks, an account can be taken over.
- Avoiding brute-force attacks: Systems without hashing protection can be easily hacked.
- Protecting user data: Responsible platforms must ensure the security of user information.
Therefore, in this article, we will discuss four main methods for securing passwords:
- Hashing
- Salting
- Key Stretching
- Encryption
1. Hashing Passwords
What is Hashing?
Hashing is the process of converting text into a unique string that cannot be reversed back to its original form. This is different from encryption, which can still be decrypted. In the context of passwords, hashing ensures that even if a database is leaked, the original password remains unknown.
Popular Hashing Algorithms
a) MD5 (Not Recommended)
MD5 is a very fast hashing algorithm but is vulnerable to rainbow table and collision attacks.
Example of MD5 in PHP:
$password = "mypassword";
echo md5($password);
Weakness: It is no longer secure and not recommended for storing passwords.
b) SHA-1 (Not Recommended)
SHA-1 is stronger than MD5 but still vulnerable to collision attacks.
Example of SHA-1 in PHP:
$password = "mypassword";
echo sha1($password);
Weakness: Not recommended due to known security vulnerabilities.
c) SHA-2 (More Secure than SHA-1)
SHA-2 is more secure than SHA-1 and is often used in modern cryptography.
Example of SHA-256 in PHP:
$password = "mypassword";
echo hash("sha256", $password);
Platforms using SHA-2: TLS/SSL, Bitcoin, and other security systems.
d) bcrypt (Recommended)
bcrypt is one of the most secure hashing methods because it includes automatic salt and a cost parameter that can be adjusted to slow down brute-force attacks.
Example of bcrypt in PHP:
$password = "mypassword";
$hashedPassword = password_hash($password, PASSWORD_BCRYPT);
echo "Hashed Password: " . $hashedPassword;
e) Argon2 (Newer and Stronger)
Argon2 is the winner of the Password Hashing Competition in 2015 and is considered superior to bcrypt.
Example of hashing with Argon2 in PHP:
$hashedPassword = password_hash("mypassword", PASSWORD_ARGON2ID);
echo "Hashed Password: " . $hashedPassword;
2. Salting
Salting is a technique of adding a unique random string (salt) to a password before hashing. This helps prevent rainbow table attacks.
Example of using salt in PHP:
$password = "mypassword";
$salt = bin2hex(random_bytes(16));
hashedPassword = hash("sha256", $salt . $password);
echo "Salted Hash: " . $hashedPassword;
3. Key Stretching
Key stretching involves repeatedly hashing a password to slow down brute-force attacks. Commonly used algorithms include:
a) PBKDF2
Example of hashing with PBKDF2 in PHP:
$password = "mypassword";
$salt = random_bytes(16);
$hashedPassword = hash_pbkdf2("sha256", $password, $salt, 100000, 32);
echo "Hashed Password: " . bin2hex($hashedPassword);
b) Scrypt
Used in cryptocurrencies like Litecoin to enhance security against brute-force attacks.
4. Password Encryption
What is Encryption?
Encryption is the process of converting data into a format that cannot be read without a decryption key. However, this method is not recommended for storing passwords because they can be decrypted if the key is compromised.
Popular Encryption Algorithms
a) AES (Advanced Encryption Standard)
AES is a symmetric encryption algorithm commonly used in secure communications.
Example of encryption and decryption with AES in PHP:
$key = "my_secret_key_123";
$data = "mypassword";
$iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc'));
$encrypted = openssl_encrypt($data, 'aes-256-cbc', $key, 0, $iv);
echo "Encrypted: " . base64_encode($iv . $encrypted);
b) RSA (Asymmetric Encryption)
RSA uses two keys: one for encryption (public key) and one for decryption (private key).
Example of encryption with RSA in PHP:
$plaintext = "mypassword";
openssl_public_encrypt($plaintext, $encrypted, $publicKey);
echo "Encrypted: " . base64_encode($encrypted);
Conclusion: Which One Should You Use?
For securely storing passwords, hashing is preferred over encryption. Here are recommendations based on needs:
| Method | Security | Speed | Recommended for Passwords? |
|---|---|---|---|
| MD5 | Low | Fast | ❌ No |
| SHA-1 | Low | Fast | ❌ No |
| SHA-2 | Medium | Fast | ❌ No |
| bcrypt | Very High | Slow | ✅ Yes |
| Argon2 | Very High | Slow | ✅ Yes |
| PBKDF2 | High | Medium | ✅ Yes |
| AES | High | Fast | ❌ No |
| RSA | Very High | Slow | ❌ No |
If you are building an authentication system, use bcrypt or Argon2 with password_hash() in PHP.
Time to Try It Yourself!
The more you practice, the more skilled you become in securing user data! 🚀