Garage

Sleep tight, your data is secure, part 2 – Password Storage Security

Here we will explain how your passwords are stored in the system and all about their security.

For storing passwords Invoicebus uses something called one-way encryption with salted hash functions. Why is it called one way? Because it can not be decrypted ever, actually it’s not even an encryption. It’s a hash that is completely different thing. In fact, this is one way ticket algorithm for which there is no returning path. This is too awkward explanation of hashing and it might sounds like a rocket science, so with a couple of diagrams we will try to explain as simple as we can what it’s all about.

Password Creation

This process happens every time you enter new password, you sign up, reset or change your password.

invoicebus_password_creation

  • Step 1: Generating random text called random salt, unique for every user.
  • Step 2: Generating hash value from both your plain text password and the salt. The hashed salt will be stored in the database (DB) for validating the password in future (at login).
  • Step 3: Generating hash value of the concatenated hashes from the previous step. This is the final password hash that will be stored in the database (DB).

The entered password is transformed to a binary value which looks like random gibberish, and nobody, absolutely nobody can retrieve the original plain text back, at least not with today’s technology.

What if two users choose exactly the same password? Will their passwords be represented with same binary values in the database? – No! That’s what salt ensures, unique and hardened passwords, so every password is absolutely unique in the database. Even if you try to reset the old password by entering a new one that is exactly the same as the old password, its representation would be completely different in the database.

Example:
Old password: invoicebus123 —–> generated as: 8de0c3c519
New password: invoicebus123 —–> generated as: bc9fe98a12

Password Validation

Let see how the password is validated during the login process.
invoicebus_password_verification

  • Step 1: Generating hash value for your plain text password. Retrieving the stored salt form the database for that particular username.
  • Step 2: Generating hash value of the concatenated values from the previous step.
  • Step 3: Comparing the final hash password from the second step with the final password retrieved from the database. If they match the user is authenticated to access the system.

If ever happen to forget your password, Invoicebus would be unable to retrieve it in its original plain text representation. That’s why an email is sent with a link where you can enter a new password.

Be aware of online services that retrieve your password in plain text when you try to reset it. That indicates they don’t use hashing; probably they have some poor password encryption or don’t have an encryption at all. And even hashing is used, it’s a good advice to always choose unique and strong password for every online account you own.

Invoicebus Team

Invoicebus Team

We're a team comprised of a few die-hard code freaks, lovers of beautiful design, stewards of simplicity, and passionately dedicated to the user experience. Invoicebus is a great vehicle to express what we do best. Click here to learn more on our business philosophy and how we actually do it.
Invoicebus Team

Latest posts by Invoicebus Team (see all)

4 Comments

  1. WOW,

    I never knew how this thing worked.. neat :)

    Thanks for the warning about online services that retrieve passwords in plain text. I’m going to pay attention to this one from now on.

    You guys are great.

  2. Invoicebus Team says:

    Hi Dragan,
    We are glad you get the point of this
    password storage security talk.

    Thanks for your beautiful compliment too,
    we appreciate it.

  3. Invoicebus Team says:

    26.09.2011 – Post edited.
    No change in information, just a slight reorganization of the titles.

    Kind Regards,

  4. […] the encryption on that data, revealing passwords and information in plain text. Image source: http://garage.invoicebus.com/733-sleep-tight-your-data-is-secure-part-2 So how can this be resolved? What about the use of a salt hash? A salt hash is when a random […]

  5. Hasan says:

    Wow, really nice tutorial. You made it supperrr simple. I was trying to understand the whole process for 3 hours and finally got it now. Thanks a lot.

  6. […] dari invoicebus.com memberikan gambaran bagaimana menyimpan password dengan cara yang lebih aman. Variasi lainnya untuk […]

Leave a Comment