For storing passwords Invoicebus uses something called one-way encryption with salted hash functions. Why is it called one way? Because it can not be decrypted ever, actually it’s not even an encryption. It’s a hash that is completely different thing. In fact, this is one way ticket algorithm for which there is no returning path. This is too awkward explanation of hashing and it might sounds like a rocket science, so with a couple of diagrams we will try to explain as simple as we can what it’s all about.

Password Creation

This process happens every time you enter new password, you sign up, reset or change your password.

• Step 1: Generating random text called random salt, unique for every user.
• Step 2: Generating hash value from both your plain text password and the salt. The hashed salt will be stored in the database (DB) for validating the password in future (at login).
• Step 3: Generating hash value of the concatenated hashes from the previous step. This is the final password hash that will be stored in the database (DB).

The entered password is transformed to a binary value which looks like random gibberish, and nobody, absolutely nobody can retrieve the original plain text back, at least not with today’s technology.

What if two users choose exactly the same password? Will their passwords be represented with same binary values in the database? – No! That’s what salt ensures, unique and hardened passwords, so every password is absolutely unique in the database. Even if you try to reset the old password by entering a new one that is exactly the same as the old password, its representation would be completely different in the database.

Example:
Old password: invoicebus123 —–> generated as: 8de0c3c519
New password: invoicebus123 —–> generated as: bc9fe98a12

Password Validation

Let see how the password is validated during the login process.

• Step 1: Generating hash value for your plain text password. Retrieving the stored salt form the database for that particular username.
• Step 2: Generating hash value of the concatenated values from the previous step.
• Step 3: Comparing the final hash password from the second step with the final password retrieved from the database. If they match the user is authenticated to access the system.

If ever happen to forget your password, Invoicebus would be unable to retrieve it in its original plain text representation. That’s why an email is sent with a link where you can enter a new password.

Be aware of online services that retrieve your password in plain text when you try to reset it. That indicates they don’t use hashing; probably they have some poor password encryption or don’t have an encryption at all. And even hashing is used, it’s a good advice to always choose unique and strong password for every online account you own.

Author information

Invoicebus Team

We're a team comprised of a few die-hard code freaks, lovers of beautiful design, stewards of simplicity, and passionately dedicated to the user experience. Invoicebus is a great vehicle to express what we do best. Click here to learn more on our business philosophy and how we actually do it.

| Twitter | Facebook |

The post Sleep tight, your data is secure, part 2 – Password Storage Security appeared first on Garage.