How to manage passwords in web applications?

Question

What is the current state of the art method for persisting users passwords in web applications? I am working with Java 6 + MySQL. Some of the questions I have in mind are: Is it better to encode in the app or by means of the DBMS (is this relevant at all)? Which algorithm is considered to be reliable? What to store in the database? Really new to this stuff, so might have missed some critical details in which case please do not hesitate to let me know.

Thank you.

Answer 1

bcrypt is a reliable algorithm for password hashing. It's been created by security professionals with security in mind.

bcrypt is slow (that's a good thing, makes rainbow tables creation a very costly). You can configure bcrypt with a variable amount of rounds to scale with whatever hardware you are using (more rounds = slower). Also, it automatically handles salt generation, a different salt per hash (which makes a rainbow table attack close to impossible, due to the slow nature of bcrypt and the fact that it would take a full rainbow table per password).

A Java implementation of bcrypt is available at jBCrypt.

Answer 2

You are going to face the wrath of, lot of self proclaimed security gurus, for asking an question like this. I myself, is not a security expert, but feel myself qualified enough to put forth some suggestions, driven by common sense. Depending on how secure you want your application to be, there are various methodologies.

1- Most of the attacks happen when you transfer credentials over wire. (Man in the middle stuff). So you need to make sure that the transfer of username and password should be made secure. (ssl or HTTP Digest). If security is very important, then you should explore if the username \ password need to be passed at all. ( by using some token based authentication like Oauth instead of username and password)

2- In case, if you decide to pass in username and password, you need to reduce the lifetime of the password string, in your application scope. Of course the best method is to implement a authentication filter based on a mechanism like LDAP. Most LDAP store, will allow you to store encrypted password and will allow you to perform authentication by binding.( so your application will never worry abt authentication and storing)

3- In case if you do bring your password to your application tier, of course you still need to reduce the lifetime of your plaintext password and encrypt using some secure hashing algorithm. But this approach and storing the password in your database (even in encrypted form) is not all that safe. ( especially, since you are storing the password, someone can circumvent your security layer)

So to summarize, based on the amount of security you need, you need to ask yourself the following question.

1- Should you need to send username / password?

2- Can you make sure that the password cannot be sniffed over the network?

3- Can you not delegate your authentication to a front filter, rather than bringing on to your application tier?

Answer 3

You should store securely hashed and salted version of passwords to the database. So that if your site is hacked, since users use the same pass almost everywhere their other accounts are not compromised.

To do this, the following should be done:

1. Use a secure hashing algorithm that is not yet broken (SHA-512 preferably, Sha1 and MD5 are broken)
2. Concatenate Username+Password+Salt (salt should be a relatively long constant string which is the same through the time on your application, and prevents Rainbow Attacks to some effort)
3. SHA-512 result of the concatenation and store it in the database.
4. everytime a user tries to login, hash his/her credentials using the same method and check against the data in the database, if the same, its correct.

It is not important where you hash passwords (App or DB) but DB's have limited secure hashing functionality, so app is the better choice.