Most Secure way to store Passwords is to not Store them at all

Page content

Yeah! Do not store them at el! easy! Lets look at some of the common ways of storing the passwords.

Hashing

Hashes are insecure. Don’t believe me check https://hashes.org. Pre computed hashes in a rainbow table that has map to the actual password. A lil bit secure way is to create a random salt string and combine that to hash the password. But in this case you have to store the salt along with the hashed password.

Use an established identity manager

oAuth 2, OpenID, SAML and Kerberos, KeyCloak, OpenAM, Gluu. Sometimes you have to be the provider. In that case use SRP

Secure Remote Password(SRP)

Verifier-Based key changes protcol and Standardised as well. Based on Diffie-Hellman which is a standard protocol for key exchange(only the public keys are exchanged, no MITM attach/no phishing). Is a part of the Async Key Exchange(AKE) protocol family.

Why is it good?

  • Drop in replacement, low cost and socially acceptable.
  • One of the best algos for attacking SRP is not parrallelizable.(Discrete Log)
  • Secure than SSH
  • Can’t do offline attacks.
  • independent of 3rd parties, unlike(Kerberos)
  • used in SSL/TLS, SAML

Now, how does it work

Registration flow without all the fussy formula’s 20180425_151113–1-

Login/Auth flow 20180425_152706–1-

Useful libraries

  • [JSRP][https://www.npmjs.com/package/jsrp]