TechFedd

Your gateway to technical excellence. Curated content from industry experts.

Quick Links

  • Browse Sources
  • Categories
  • Latest Articles

Company

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

Newsletter

Subscribe to get weekly updates on the latest technical content.

© 2025 TechFedd. All rights reserved.

PrivacyTermsSitemap
TechFedd LogoTechFedd
ArticlesSources
Sign InSign Up
  1. Home
  2. /
  3. Articles
  4. /
  5. System Design

How Databases Keep Passwords Securely 🔒

The System Design Newsletter

The System Design Newsletter

Neo Kim • Published 7 months ago • 1 min read

Read Original
How Databases Keep Passwords Securely 🔒

The article explains best practices for securely storing passwords in databases, emphasizing the importance of hashing, salting, and using modern algorithms like Argon2 to protect against attacks. It contrasts outdated methods (e.g., plaintext, MD5) with robust techniques, detailing implementation considerations such as computational cost and resistance to brute-force attempts. Key recommendations include leveraging specialized libraries and avoiding custom solutions.

Core Technical Concepts/Technologies

  • Hashing: One-way cryptographic transformation of passwords.
  • Salting: Adding random data to passwords before hashing to prevent rainbow table attacks.
  • Key Derivation Functions (KDFs): Algorithms like PBKDF2, bcrypt, and Argon2 designed for password storage.
  • Rainbow Tables: Precomputed tables for reversing hashes, mitigated by salting.
  • Brute-Force/GPU Attacks: Threats countered by computationally expensive KDFs.

Main Points

  • Never store passwords in plaintext or with weak hashes (e.g., MD5/SHA-1), which are vulnerable to breaches.
  • Use modern KDFs like Argon2 (preferred), bcrypt, or PBKDF2, which introduce intentional slowdowns to hinder attacks.
    • Example: Argon2 allows tuning memory, iterations, and parallelism for hardware resilience.
  • Always salt passwords with unique, random values per user to thwart rainbow tables.
    • Implementation: Generate salts using cryptographic PRNGs (e.g., os.urandom in Python).
  • Leverage existing libraries (e.g., Python’s passlib) instead of custom code to avoid pitfalls.
  • Adjust computational cost to balance security and performance (e.g., bcrypt’s work factor).

Technical Specifications/Code Examples

  • Argon2 example (Python): 
    from argon2 import PasswordHasher  
ph = PasswordHasher(time_cost=3, memory_cost=65536)  
hash = ph.hash("password123")
  • Bcrypt work factor: Recommended setting ≥12 (exponential cost increase).

Key Takeaways

  1. Prioritize KDFs like Argon2 or bcrypt for secure password storage.
  2. Unique salts per password are non-negotiable to prevent precomputed attacks.
  3. Avoid reinventing the wheel—use vetted libraries for hashing implementations.
  4. Tune cost parameters to maximize security within system constraints.

Limitations/Further Exploration

  • Legacy systems may lack support for modern KDFs, requiring migration strategies.
  • Hardware advancements (e.g., quantum computing) could future-proof algorithms.
  • Multi-factor authentication (MFA) complements password storage but isn’t covered here.

#61: Break Into Security Fundamentals (3 Minutes)

This article was originally published on The System Design Newsletter

Visit Original Source