Pursuit of Better Password Storing Technique
May 14, 2012
From the early days I’m very much bothered about storing passwords in my application. After studying some cryptographic techniques I got some idea and I have been following them since then. I shared the idea which I was following in How your passwords are stored!. And I’m glad that I got a very good response and suggestion for that which totally lifted me to a new level on understanding the use of cryptographic hash functions for the purpose of storing passwords.
Even a week before, the news was ‘55000+ Twitter username and passwords are leaked’, which seemed astonishing. It is such a wonder that how things like this happen when very good security techniques are there.
Here I would like to share you a technique that I suddenly got in my mind. I certainly felt ‘Why not this?’.
The method which I’m going to propose here makes use of encryption. Instead of storing message digests in the database, I store the password encrypted by the same password.
encrypt(message, key) is the encryption function, I’m going to store
encrypt(password, password) in the database.
The reason why encryption methods are not used in storing passwords is storing and maintaining the key in a secure way. Here, in this method, I’m not going to store the key as both key and message are same. To authenticate the user on the next login, all I need to do is to decrypt the password stored with the key (password) the user is going to enter during the login process and check whether the decrypted password and the key are same. If not, he is not authenticated.
Advantages of this method:
- Attacks like rainbow tables are not possible as we are not using cryptographic hash functions.
- There is no chance of collision in encryption unlike hash functions
- When we use good encryption techniques such as AES, the security is much more
However, I’m not sure that this method is more secure than hashing. Hashing is more popular that I couldn’t find some other technique through google easily. This method could have been used already by many but I’m unaware. All I want from the reader is a suggestion that how much this is a good method. If it is not a good method, what are the reasons? I hope you developers would be giving me a good feedback.