How do I protect passwords in user store?

From Guidance Share

Jump to: navigation, search

J.D. Meier, Prashant Bansode, Alex Mackman


Avoid storing user passwords either in plaintext or encrypted format. Instead, store password hashes with salt. Ensure only required accounts have the access to user store database. Store your credential database on a physically separate server from your Web server.

By storing your password with hashes and salt, you help prevent an attacker who has compromised your user store from obtaining the user passwords and also it slows down an attacker who is attempting to perform a dictionary attack. This gives you additional time to detect and react to the compromise. By giving access only to required accounts you limit access to your credentials store, which reduces the chances of a compromise. By locating the credentials store database on a separate physical server you makes it harder for an attacker to compromise your credential store even if he or she manages to take control of your Web server. Use one of the membership providers that ensure secure credential storage and where possible, specify a hashed password format on your provider configuration. If you must implement your own user stores, store one-way password hashes with salt. Generate the hash from a combination of the password and a random salt value. Use a hashing algorithm such as SHA256.

Personal tools