Hashing password for authentication

Greetings,

What do you think of the following approach. Storing passwords in a secure way in a SQL Server database

Hasn't one given key to the kingdom with this approach?

Not really. Someone would have to hack your full database to get the hashes, and if they can do that then you're screwed anyway. Hashing passwords in the DB is better than storing them as plaintext, which is still way too common. Go check Google Trends for the past 3-5 years on the number of MongoDB and S3 buckets that were unsecured and had plaintext passwords and other data.

The real problem is users choosing simple/common passwords where then hashes are already known, and not salting them in your system. That's not the fault of hashing. The best way to prevent that is to check against Have I Been Pwned: Pwned Passwords prior to hashing a password and warning the user to choose another. Google Chrome added this feature a while back, and many online services have incorporated it as well.

If you want to truly protect passwords in your database then use bcrypt.

2 Likes

Thanks very much @robert_volk went ahead and implemented this on my nodejs express.js api side instead of in a sproc, to make it store agnostic in case we move things to sqlite3

Looking good!